ML20210B946
| ML20210B946 | |
| Person / Time | |
|---|---|
| Issue date: | 04/30/1978 |
| From: | NRC OFFICE OF NUCLEAR MATERIAL SAFETY & SAFEGUARDS (NMSS) |
| To: | |
| References | |
| NUREG-0450, NUREG-0450-V03, NUREG-450, NUREG-450-V3, NUDOCS 8705060051 | |
| Download: ML20210B946 (153) | |
Text
-.
NURE@-0480 vol.3 REPORT OF THE MATERIAL CONTROL l AND MATERIAL ACCOUNTING TASK FORCE l
Blueprint for the Future i
1 i
i i
l
.l
/gaaro,%
t u
4 "o
u-
"A...../
)
Office of Nuclear Material Safety and Safeguards U. S. Nuclear Regulatory Commission l
l 1
4 i
(170LO600D L /00430 i
l' [1f t NUlfi G 4
0450 F#
l'DIf 1
L.. - -._,.- - - -.- - - - -.. - --_ -.
1 NOTICE The members of the Material Control and Material Accounting Task Force, who are all NRC staff. members, are solely _
responsible for this report. The views expressed herein-are those of the Task Force. The Nuclear Regulatory Commission is reviewing this report and has taken no position on the conclusions or recommendations.
l l
1 Available from National Technical Information Service Springfield, Virginia 22161 l
Price: Printed Copy $8.00 ; Microfiche $3,00 The price of this document for requesters outside of the North American Continent can be obtained from the National Technical Information Service.
l l
l
NUREG 0450 Vol. 3 REPORT OF THE MATERIAL CONTROL j
AND MATERIAL ACCOUNTING TASK FORCE Blueprint for the Future l
i l
i Manuscript Completed: March 1978 Data Published: April 1978 i
4 Test and Evaluation Branch Division of Safeguards Of fice of Nuclear Materials Safety and Safeguards U. S. Nuclear Regulatory Commission i
Washington, D. C. 20555
CONTENTS VOLUME III l
CHAPTER FIVE - PROPOSED REGULATORY UPGRADES AND SUPPORTING PROGRAMS l
Page Introduction...................................................
v.1 Integrated Safeguards..........................................
V-2 Background................................................
V-2 An Approach to Integrated Safeguards......................
v.4 Upg rades, Nea r-Te rm and Long-Te rm..............................
V-10 l
I n t rod u c t i o n..............................................
V-10 Action Plan...............................................
V-12 High Priority Regulatory Upgrades.........................
V-13 Other NRC Priority Regulatory Upgrades....................
V-20 NRC Program Upgrades......................................
V-30 Current Developmen t Program....................................
V-33 I n t rod u c t i o n..............................................
V-33 Evaluation Methods........................................
V-34 New Approaches to Material Control and Material Accounting..............................................
V-43 New Techniques for Analyzing Data.........................
y.47 i
l Measurement and Measurement Quality Control...............
y.50 l
Summary........................................................
V-52 References.....................................................
V-57 CHAPTER SIX - SPECIAL ISSUES I n t rod u c t l o n................................................... y [. ]
Ac tion Cri teria for Inventory Di f ferences...................... VI.4 Proposed Criteria......................................... VI.4 Summa ry o f Ac ti on C ri teri a................................ V I.11 l
1 l
l
i l
i CONTENTS (Cont'd) 1 Ma terial Bal ance Area Accounti ng............................... V I-13 i
i B a c k g rou nd................................................ V I -13 Discussion of Feasibility.................................
VI-15 Concl usions and Reconinenda tions........................... VI-17 The Analysis of Inventory Differences..........................
VI-20 Ba c kg rou nd................................................ V I - 20 j
Trend Analysis............................................
VI-27 i
Conclusions and Reconenenda tions........................... V I-33 i
]
Rapid Material Control.........................................
VI-35 1
Background................................................
VI-35 1
Real-Time, Dynamic or Rapid Material Control Systems...... VI-37 The Controllable Uni t Approach............................ VI-42 i
Concl usions and Reconinenda tions........................... VI-46 l
t j
Collusion and Material Control and Material Accounting......... yg.49 i
I B a c k g ro u n d................................................
The S tages of Collus ion................................... y t.49 j
Safeguards Against Collusion..............................
VI-51 j
S umma ry................................................... V I - 5 2 j
Concl usions and Reconinenda tions........................... VI-57 VI-59 In formation Fl ow a nd Analysi s.................................. V I-61 Background................................................
VI-61 Cu rren t I n fo nna ti o n Fl ow.................................. VI-62 j
Recommendations...........................................
VI-72 References.....................................................
VI-75 I
GLOSSARY I
L l
l 1
[
l 1
I 11 i
1 1
l
1.
>--4 s
wa s.
nA
- m e-
-.a_.
-s.
l l
4 I
t i
CilAPTER FIVE i
PROPOSED REGULATORY UPGRADES AND SUPPORTING PROGRAMS i
i I
1 i
i t
V-1 Introduction _
i The purpose of the discussion of the safeguards structure (Chapter Two) and the objectives, goals, and capabilities of material control (Chapter Three)
~
and material accounting (Chapter Four) is to form a basis for proposing a direction for the future, i.e., a blueprint for the development of improved material control and material accounting systems.
This chapter provides a blueprint for the development of these systems by integrating the goals and capabilities of material control and material accounting and recommending specific upgrading actions.
Chooter Six contributes to the blueprint by analyzing several spect fic issues and developing recommendations for future actions related to those issues.
This chapter begins alth a discussion of integrated safeguards.
The Task Force believes that the importance of viewing material control and material accounting from the perspective of a total integrated safeguards program cannot be overstated.
This section proposes an approach for effecting such an integration based upon total program objectives and goals.
The second section addresses regulatory upgrades for the material control and material accounting systems for both the near-term and long term.
These proposed upgrades and the priorities assigned them find their basis in the roles, objectives, goals, and capabilities of Chapters Three and Four.
This section first discusses regulatory upgrades and concludes with a discussion of "NRC Drogram Upgrados", which are primarily NRC responsibilities not l'
requiring modt fication of the current regulatory base.
The next section t
i
1 l
V-2 addresses the importance of an evaluation capability in a goal-oriented safeguards program.
It begins by defining the attributes of an effec-tive evaluation methodology and then compares existing methodologies against the attributes. This comparison directly leads into a discus-t sion which addresses NRC's current safeguards development efforts, including evaluation methods, in terms of their applicability to proposed material control and material accounting system goals.
i Integrated Safeguards
Background
j An effective safeguards program must be based on an integration of I
t physical protection, material control and material ' accounting systems.
1 The"LumbPanel"reporttotheAECin1967(ReferenceV-1)* recognized the need for a total systems approach when it reconsnended the creation of a single office to coordinate the safeguards program. The Energy I
Research and Development Administration (ERDA)** Master Plan (Refer-l ence V-2) for safeguards states its objectives in terms of an "inte-grated safeguards and security plan" that provides a " defense in depth."
l Recent NRC programs and studies havu highlighted the need for an inte-grated approach to safeguards.
For example, an ongoing program to
'hoferences appear at the end of the Chapter, j
- Now part of the Department of Energy (00E).
3
l l
V-3 j
1 upgrade physical protection has developed proposed rule changes (Refer-ence V-3) that have obvious implications for material control and material accounting. Also, as a result of its recent assessments, NRC's Material Control and Accounting Assessment team reconnended a total afeguards systems approach to the definition of the roles of material accounting and material control (Reference V-4).
I t
Although the need for such an overall perspective is widely accepted, current safeguards regulations and practices are based largely upon separate and independent physical security, material control, and i
material accounting systems.
This is primarily a result of the way in which safeguards, in the licensed industry, has evolved from an 1
accounting system designed to detect diversion of material between different contract accounts of a licensco to the rather complex mixture of material accounting, material control, and physical protection systems in place today.
I Decause the safeguards program has evolved in this way, there has been a tendency to establish a division of responsibilities for such systems both at licensed operations and within NRC safeguards management programs.
The difficulties that this approach engenders were clearly reflected by the difficulties that the Task Force had in writing definitions for physical security, material control, and material accounting in Chapter I
(
i V-4 One, and in developing the elements and establishing the goals in Chapters Three and Four for the latter two systems. Overlap and re-dundancy were unavoidable.
The Task Force recognized that assigning responsibilities, functions, or systems to particular portions of the safeguards program was important for clarity, but in the final analysis the adequacy of a safeguards program must be viewed and judged from a total system perspective.
i The important task is to combine these responsibilities, functions, and 1
systems in a cost-effective manner to achieve overall safeguards objec-l
)
tives and functions.
This chapter brings together the considerations j
for material control in Chapter Three and for material accounting in 1
Chapter Four to recommend a place for both within the. total safeguards program.
However, while an awareness is maintained of the physical 4'
protection system it is not directly included, and only a few aspects of NRC safeguards management are discussed.
Eventually those programs must
]
be more fully evaluated and integrated to ensure that NRC requirements j
provide for a cost effective and efficient safeguards program.
An Approach to [n_tcarated_ Safeguards i
The key to an effective NRC integrated safeguards program is to base it on quantified goals such as those proposed in Chapters Three and Four.
j However, these goals provide only a starting point. The NRC must implement i
J 1
V-5 the goals with a strong planning operation, value-impact evaluations, an accepted evaluation and review process, and an efficient information l
l system, in addition to its operational responsibilities for research, licensing, regulation development, and inspection and enforcement, q
l Furthermore, integrated safeguards should be developed and reviewed taking into consideration interactions that may exist between the safeguards systems in terms of redundancies, diversities, and synergisms j
and in terms of undesirable inconsistencies and inefficiencies.
3 i
l f
The planning operation should have overall responsibility for integra-tion to ensure that the NRC safeguards program is meeting its objectives by making best use of all portions of the program. The planning operation a
I would establish specific goals and priorities for the program as a whole f
and for physical protection, material control, material accounting and NRC safeguards management as they contribute together to overall safe-
)
l guards program objectives, j
j The second ingredient of an NRC integrated safeguards program is an evaluation methodology. To be acceptable and defendable, an NRC program I
that is based on quantified, goal-oriented regulations must be supported by an effective evaluation methodology and review procedure. NRC, the i
V-6 licensees, and the public must have assurance that safeguards systems dre evaluated Consistently and forthrightly.
To do so requires an accepted, standard set of evaluative methods which assess safeguards systems in terms of NRC safeguards goals.
In the final analysis, the most important question the methodology must answer is whether the total safeguards program provides the level of protection desired by the public, ind not whether some portion of the program is adequate.
That is not to say that there is not a need for specialized methodologies and techniques designed to look in depth into how well particular procedures or hardware meet specific goals. Such a need definitely exists, but there is also a need for an overall compre-hensive evaluation methodology that. integrates the results of the specialized efforts into an assessment of the total system.
The existence of an integrated safeguards planning function and an effective evaluation methodology would be of little value without the third part of the integrated safeguards program, an information base 1
tailored to the needs of the evaluation and planning operations and l
l NRC's other safeguards management responsibilities for research, licensing, regulation development, and inspection and enforcement.
If i
t NRC is tn assess the safeguards performance of the licensed industry in terms of the quantified goals set forth in this study, there will have 4
.I I
V-7 to be a marked increase in the amount and depth of detail of information reported by licensees. The level of analysis that NRC performs on this information will have to be expanded. This topic is addressed in detail in Chapter Six, under "Information Flow and Analysis."
l NRC, as part of its safeguards management role, should support the development of integrated safeguards systems within licensed facilities.
Complementary and, if possible, synergistic systems and procedures should be developed. Many tradeoffs are available within physical.
security, material control, and material accounting on a facility specific basis. Tradeoffs also may be possible among the three systems such that some material control elements may be substituted for some physical security elements, some physical security elements substituted for some material accounting elements, and so on (Reference V-5).
Related Ongoing Rule Changes Ongoing rule making efforts would decrease the level of separation of physical security systems and material control and accounting systems in NRC regulations. Proposed rule changes to establish performance oriented safeguards requirements for physical protection of plants and materials were published in the Federal Register on July 5, 1977. The performance capabilities for fixed site physical protection systems specified in the proposed rule changes include some subsystems and subfunctions that
V-8 traditionally have been part of a licensee's material control and accounting program and that are part of material control as defined by the Task Force.
For example, the proposed Section 73.45(d)(1)(iii) specifies " controls and procedures to maintain current knowledge of the identity, quantity, placement, and movement of all strategic special nuclear material within material access areas." Closely related to this is an existing Section 70.58(h) of 10 CFR Part 70 which requires that, as part of a licensee's fundamental nuclear material control program, "a system of storage and internal handling controls shall be established, maintained, and followed to provide current knowledge of the identity, quantity, and location of all special nuclear material contained within a plant in discrete items and containers."
During its deliberations the Task Force has maintained an ' awareness of the development of rule changes to provide upgraded protection of strategic special nuclear material. The proposed rule change and the Task Force analysis of material control and material accounting are structured somewhat differently. However, the performance capabilities in the proposed rule and the material control and material accounting goals specified by the Task Force are compatible. Achievement of the I
Task Force goals, in particular those related to the refocusing of l
custodial control and the utilization of process data, could make a significant contribution to some of the performance capabilities specified in the proposed rule.
V-9 Implementation of Task Force recommendations should be coordinated with the ongoing program for upgrading physical protection to ensure con-tinuing compatibility.
Table V-1 is a list of the material control and material accounting goals which are directly related to performance capabilities in the proposed rule change:
TABLE V-1 TASK FORCE G0ALS RELATED TO THE PHYSICAL SECURITY UPGRADE RULE Section in Proposed Physical Security Upgrade Rule Related Task Force goals 73.45(c)(1)
MC3, MC4, MC5, MC9 73.45(d)(1)
MC3, MC4, MC5, MC9 73.45(e)(1)
MC6, MC7, MC8, MC10, MA4 73.45(e)(2)
MA16, MA22 Integrated Safeguards Conclusions and Recommendations The Task Force places great importance on the integration of safeguards functions and measures. The adequacy of safeguards, the need for changes in regulations and license conditions, the direction of NRC confirmatory research for safeguards, the NRC safeguards licensing activities, and inspection strategies should be addressed from the perspective of an integrated program.
The safeguards organization should be structured to assure an integrated approach to program activities. The Task Force recognizes that this objective is not completely attainable in the 4
V-10 immsdiate future.
Nevertheless, it is an important objective on which NRC safeguards activities can focus.
The Task Force recommends that:
RS-1(a)
NRC develop objectives and goals for the total safeguards program in the same degree of detail and specificity as those proposed for material control and material account-ing in this report.
(b)
NRC develop a goal oriented program for safeguards, including (i) integrated planning and organization, (ii) a total systems approach to research, program development, licensing, and inspection, and (111) in-formation and evaluation methodologies focusing on safeguards programs from a total system viewpoint.
Upgrades, Near-Term and Long-Term Introduction This section begins with a discussion of the type of analysis required before the goals developed in Chapters 3 and 4 can be implemented.
The Task Force's rationale for assigning priorities to the proposed upgrades is presented. The section concludes with a recommended action plan for the implementation of the goals through near-term and long-term upgrades.
From Goals to Upgrades In Chapters Three and Four, the Task Force developed goals for material control and material accounting and assessed the current regulatory requirements and practices in terms of meeting those goals.
In that
V-ll assessment, the present regulatory base was found to be fundamentally sound and the current implementation of its requirements by licensees was found to result in a high level of safeguards protection.
Never-theless, the Task Force felt there were some areas in which styengthening of safeguards would be appropriate. The degree to which safeguards must be strengthened to meet each goal is discussed in Chapters Three and l
Four.
l In this section, the various material control and material accounting goals are aggregated into proposed upgrade requirements. Since the Task Force developed its objectives and goals in terms of the roles of material control and material accounting in the various safeguards functions, a I
single capability will often meet a number of different goals. There-i fore, this aggregation is important so that the specific capability required to meet the goals can be formulated as clearly and concisely as possible.
Before action is taken upon the implementation plan, a value-impact analysis of the suggested actions is required. This analysis will influence the way that these Task Force recommendations actually are l
implemented. Since both value-impact analysis and regulatory develop-ment are beyond the scope of this effort, the upgrades presented in this Chapter are recommended as candidates for analysis rather than direct incorporation into the regulatory base, l
V-12 Priorities of Upgrades In developing priorities for the proposed upgrades the Task Force analyzed' each'of them to estimate the relative degree of ' increased
!~
safeguards capability that it could provide..Those upgrades for
-material control and material accounting which the Task Force believed would contribute most significantly to strengthening the overall safeguards program were given high priority.
In most cases-these upgrades represented the greatest departure from current practices and would have the greatest impact upon licensees.
Those upgrades that would result in improvements in current practices fell into j
the next category of upgrade priorities.
These changes would result in moderate strengthening of safeguards.
The final. category of upgrade priorities consists of. actions for which NRC must play the i
dominant role in implementation. These upgrades will have a greater i
i value for the nuclear-fuel cycle as a whole rather than -for individual facilities. The Task Force has made no attempt to assign priorities within any of these groups.
Action plan An action plan is outlined in this section for implementing material control and material accounting goals that are delineated in Chapters Three and Four. The action plan is broken down according to selected topics,~ under which near and long-term recommendations are made.
i I
i l
V-13 l
For purposes of this report, near-term is considered to be 18 to 24 I
[
months after adoption of the recommendations.
This will allow a reason-l l
able time for implementation of improvements that can be made using current technology, either within the current regulatory base by simple changes thereto, or as the first phase of a major rule change. Long-term is considered to be a maximum of five years on the basis that such time would be needed to develop and demonstrate the technology needed to fully implement the recommendations, especially in the area of process monitoring. Long-term upgrades will constitute the second phase of a major rule change that would provide an explicit regulatory base for implementing that part of the program not specifically covered by the current regulations. As a part of the program for upgrades, the Task Force recommends that:
RS-2 NRC expeditiously develop and promulgate a Material Control and Material Accounting Upgrade Rule based on the goals defined in Chapters Three and Four. Short-term improvements should be implemented in phase 1 of the rule.
Long-term improvements should be implemented in phase 2.
High Priority Regulatory Upgrades The high priority regulatory upgrades identified by the Task Force can be categorized as follows:
Process Monitoring
)
Item Control Custodial Control Measurement Verification l
V-14 All of these topics are focused on providing greater sensitivity in 4
detecting and assessing material losses.
. Process Monitoring A major new thrust for safeguards recommended in this report is the monitoring of the status of material during intervals between physical inventories. This would be achieved through the development of a monitoring program to track material through a process to detect irregularities which may have safeguards significance. The purpose of this is to provide increased vigilance over material status between physical inventories. ~As indicated in Chapter Three, current regu-i lations do not address the use of process monitoring techniques for safeguarding materials. Research efforts in this area'have been initiated and show promise.
Examples include studies on Dynamic Material j
Control (DYMAC), Controllable Unit Accounting (CUA), Safeguards Use of i
4 Process and Quality Control Data, Time Series Analysis, and Automation of Processes and In-line Measurements.
Before applying the results of such studies to safeguards, reference systems must be designed and l
tested for monitoring representative processes.
In addition, evaluation methods must be developed.
i 1
---e, 3
ym--
w c-,e-c - w r-e
..-c-
.----y
,-y w
V-15 Short-Term Improvements - The NRC assessment reviews have indicated that considerable process control information exists that could be used to detect irregularities in material status between physical inventories.
The Task Force recommends that:
RS-3(a)
As an interim measure, implemented through phase 1 of the proposed Upgrade Rule, licensees should incorporate existing or available process monitoring techniques into the safeguards program as a first step in meeting the process monitoring goals (MC3, 8, 9,10,11,14 and 15).
Long-Term Improvements - The Task Force recommends that:
RS-3(b)
NRC expeditously develop and test concepts, technology, and capabilities for applying process monitoring tech-l niques to the detection and assessment of actual or alleged material losses.
(c)
Full implementation of the process monitoring goals (MC3, 8, 9,10,11,14 and 15) be required by phase 2 of the proposed Upgrade Rule.
NRC should provide guidance to licensees through issuance of Regulatory Guides and NUREG reports.
l This should allow reasonable time for licensees to assess and design l
effective process monitoring capabilities for safeguards on a plant specific basis. More specifically, the recommended efforts include the l
following:
i Develop conceptual designs for process monitoring systems applicable to representative fuel cycle operations.
Develop the technology and assessment methodology required to achieve material control system goals.
V-16 Demonstrate system capabilities, and provide guidance to_
licensees on acceptable methods of implementation.
Provide guidance to licensees on backfitting considerations.
Develop NRC test and evaluation techniques.
Item Control Closely associated with process monitoring is the control of items and containers of SSNM to protect against their diversion from assigned locations. Present regulations require licensees to perform physical inventories bimonthly and to maintain " current knowledge of the identity, quantity, and location of all special nuclear material in discrete items and containers." The Task Force believes that a significant-improvement in loss detection can be achieved by frequent periodic checks of the location and integrity of items and containers between physical inventories.
Short-Term Improvements - The Task Force believes that the proposed program for item control described in goals MC3, 8, 9, 10, 11, 12, 13, 15, MA8 and 9 should be implemented J,s soon as possible. Therefore, the 4
Task Force recommends that:
?
RS-4(a)
In phase 1 of the proibsed Upgrade Rule, licensees be required to meet tKe intent of the item control goals.
i
+
i
m V-17.
Long-Term Improvements - The Task Force recomends that:
RS-4(b)
NRC pursue studies leading to the development, for possible phase 2 implementation, of secured and automated storage of items and containers and the associated continuous monitoring of their presence-and integrity.
l Custodial Control The Task Force believes that stewardship for.SSNM can be upgraded within the present regulatory base-to provide more effective assignment of custodial responsibilities and improved vigilance over the utilization of material and the application of safeguards measures. To assure the adequacy of safeguards control of material during processing operations, the vulnerability of the' system to theft or diversion should be analyzed and compensatory measures implemented as appropriate.
Short-Term Improvements - The Task Force recommends that:
R5-5(a)
NRC write and promulgate a number of regulatory guides to transfer abstract custodial' control concepts into performance standards consistent with the-goals MC3, 4, 5, 6, 7, 11, 15, MA3, 8, and 9.
(b)
Current plant practices be upgraded, as necessary, in phase 1 of the proposed Upgrade Rule.
Early upgrading would contribute especially to the protection of material during the interim period required to develop and test -the process monitoring system described above. The upgrading program should be l
l
. - _. ~..
1 V-18 i
4 designed so that regulatory guides are issued to' assist licensees in meeting the required upgrades.
Long-Term Improvements. The Task Force believes that continued support.
should be provided to the development and testing of methodologies and procedures for conducting vulnerability analyses of SSNM in processing operations. The Task Force reconnends that:
R5-5(c)
Licensees be required, in phase 2 of the Upgrade Rule, to conduct vulnerability analyses for material control and l
material accounting.
{
Measurement Verification Procedures to validate waste discard measurements and intraplant trans-fer measurements have been identified as areas in the current safeguards l
program where improvement is desirable.
Failure to verify waste measure-i ments could result in the overstatement of material discards by an adversary, j
with little danger of detection, to offset a loss of material.. Failure to verify transfer quantities could impair the custodian program and impede traceability of a material loss within a plant. The regulatory base for correcting these deficiencies needs to be strengthened.
i Short-Tenn Improvements - Because the capability for independent verifi-cation of waste discards has not been studied in sufficient detail to
V-19 l
l determine its feasibility and cost-effectiveness, the Task Force recommends that:
R5-6(a)
NRC initiate a study to determine the best means to provide independent verification of the quantities of SSNM discarded as waste.
(b)
Pending the results of such a study, NRC require licensees to have an observer organizationally separate from the processing group attest to the validity of quantities of discarded SSNM.
With respect to intraplant material transfers the Task Force recommends that:
R5-6(c)
NRC require licensees to either make second-person overcheck measurements on intraplant material transfers or, in those instances where this is not practicable, have an independent observer witness and attest to the original measurement.
The total remeasurement of element and isotope should not be necessary in many cases to provide adequate validation of each transfer. The characteristics of some materials are such that a simple overcheck measurement will suffice.
Long-Term Improvements - The Task Force recommends that:
R5-6(d)
The findings of the study to determine the best means to provide independent verification of SSNM waste dis-cards be incorporated into the proposed upgrade rule (MA3 and 13).
V-20 (e)
The proposed upgrade rule should incorporate the requirements for overcheck of internal transfers (MC6 and 3).
Other NRC Priority Regulatory Upgrades The upgrading recommended in this section is focused primarily on modifying or improving current practices to achieve the level of per-formance prescribed in the goals discussed in Chapters Three and Four.
The subjects to be addressed in this section are:
Material Balance Accounting Shipper-Receiver Evaluations Scrap Control Measurements and Measurement Quality Control Management Control Security of Records Both material control and material accounting considerations are ' included in the above list.
Mattr al Balance Accounting The proposed goals for material balance accounting (MA6, 7, 8, 9,14, and 15) will require improvement in performance capabilities. These include improving (1) the timeliness of taking physicel inventories on demand, (2) the traceability of transactions through the accounting
V-21
-records, (3) the lo.c.alization of potential material losses, a'nd (4) the level of assurance provided by the closed material balance.
Revisions to the current regulations will be required to incorporate new perform-ance criteria.
L Short-Term Improvements - The Task Force recommends that, in phase 1 of the Upgrade Rule:
RS-7(a)
NRC require improvements of licensee accounting pro-cedures to provide ready traceability of information through the accounting process.
(b)
Accounting procedures be upgraded to provide (1) a technical review of source data for errors and irregu-larities and (2) a quality control program to assure the accuracy of the bookkeeping process.
(c)
NRC require licensees to develop plant specific plans to respond to NRC requests to perform special physical inventories (on demand) in a timely manner.
In addition to actions related to the Upgrade Rule, the Task Force I
recommends that:
R5-7(d)
NRC initiate a study to determine alternatives for establishing an absolute quantitative action limit l
for cumulative inventory difference. The study should also determine the appropriate number of successive periods to which this action limit would apply.
(e)
Until a regulatory base is developed for requiring control of cumulative inventory difference, NRC j
monitor licensee performance and investigate incidents i
l which fail to meet the proposed cumulative inventory difference goal (MA15).
1 1
l
V-22 (f)
Current work on developing evaluative methods for assessing inventory differences be brought to a timely conclusion and published in the fonn of NUREG Reports to assist licensees and the NRC staff.
(g)
NRC publish a regulatory guide detailing appropriate procedures, with illustrative examples, for proper propagation of measurement uncertainties.
Subsequent to the issuance of the guide, NRC should review tne measurement uncertainty propagation models used by each licensee and take corrective action where inappropriate statistical procedures are used.
Long-Term Improvements - The Task Force recommends that:
R5-7(h)
In phase 2 of the Upgrade Rule, NRC (1) modify the requirements of Section 70.51 of 10 CFR Part 70 to be consistent with goals MA6 and MA15, (2) provide require-ments consistent with goals MA7, 8, 9, and 14 for material balance accounting, (3) prescribe investigative and corrective actions to be taken in response to inventory differences that exceed control limits or safeguards alarm levels, and (4) incorporate the results of the study to determine an absolute quantitative action limit on cumulative inventory differences.
(i)
NRC prepare regulatory guides to assist licensees in designing accounting systems to meet goals MA6, 7, 8, 9, 14, and 15.
(j)
NRC publish a NUREG document describing techniques and strategies which may be used for investigating excessive inventory differences.
Shipper-Receiver Evaluations The goals proposed by the Task Force would upgrade the role of shipper-receiver comparisons in the accounting of SSNM by specifying performance requirements.
i V-23 l
l Short-Term Improvements - Until the current regulatory base is revised to incorporate the proposed goals (MA 4, MA 5, MA 10, and MA 11) listed in Chapter Four, the Task Force recommends, with one exception, the 1
continuation of current practices. While current regulations require that both shippers and receivers make independent measurements on ship-ments, they do not prescribe the manner in which shipper-receiver differences are reconciled.
In some cases this has been interpreted to permit shippers to adjust their shipment values to receiver measurements without independent verification or show of cause.
The Task Force recommends that:
R5-8(a)
In phase 1 of the Upgrade Rule, NRC clarify the regulatory base with respect to reconciliation of shipper-receiver differences.
I (b)
Regulatory Guide 5.28 on evaluation of shipper-receiver differences be reviewed and revised as necessary to effectively implement the new upgrades.
(c)
The proposed regulatory guide on the reconciliation of J
statistically significant shipper-receiver differences be completed and published.
(d)
Pending implementation, by regulation, of the goals on shipper-receiver comparisons (MA4, 5, 10, and 11), NRC i
closely monitor performance in this area and investigate and evaluate excessive differences.
4 Long-Term Improvements - The Task Force recommends that NRC:
RS-8(e)
In phase 2 of the proposed upgrade rule, incorporate the shipper-receiver evaluation goals (MA4, 5, 13, and 11).
I 4
- - -.,, ~
.=_
4 V-24 Scrap Controls The accumulation of scrap historically has been a major problem in material accounting.
Difficult to measure scrap has contributed significantly to inventory differences.
Failure to recover material promptly has resulted in long delays in reconcilation of inventory differences and has caused serious problems in adjusting records to reflect the true state of performance within individual inventory 5
intervals.
For some high-throughput facilities it has been necessary for NRC to require, through license conditions, a more timely recovery l
of scrap than the current regulations prescribe to meet current accounting requirements.
The major concern is that scrap accumulations, besides s
containing significant quantities of poorly measured material, can be I
used to mask a real loss of material.
i Short-Term Improvements - The Task Force recommends that:
RS-9(a)
Until new regulations are promulgated, license conditions be utilized to tighten scrap recovery requirements to the extent necessary to meet current material accounting requirements, on a site specific basis.
(b)
NRC perform a comprehensive study to characterize accounting problems associated with the accumulation of scrap materials in various portions of the fuel cycle.
Recovery and accounting alternatives shoulii be identified and assessed.
Long-Term Improvements - The Task Force reconmends that:
RS-9(c)
Phase 2 of the proposed upgrade rule require licensees to j
recover and account for scrap in accordance with the proposed material accounting goals, particularly MA 16.
t i
_a--
...-.,,,_,_g
.._,e,,
V-25 Measurements and Measurement Quality Control Measurements and their associated quality control program form the heart of the material control and material accounting systems. A strong regulatory base already exists in this area.
Considerable work needs to be done in the future to develop the technology to support fully material control and material accounting goals.
For example, there will be strong need to develop and demonstrate measurement capabilities to support the process monitoring program recommended in this report.
Short_ Term Improvements The Task Force feels that it is crucial for licensees to have an ongoing, rigorous measurement control program that provides measurement uncertainty data accurately reflecting the true measurement uncertainties in licensee measurement systems. An inadequate program can result in a too high false alarm rate or a too low detection probability, and/or a failure to accurately evaluate and eliminate measurement biases.
The Task Force recommends that:
R5-10(a) NRC fully implement 570.57 of 10 CFR and carefully review current licensee material control plans.
It is of particular importance that all sources of measurement uncertainty 1
be accurately estimated and included in licensees' estimates of total material balance measurement uncertainty.
Sufficient compliance inspections should be scheduled during the inception period to assure effective implementation.
V-26 i
Qng-TermImprovements i
The recommendations identified below are considered to be ongoing projects of a long-range nature.
R5-10(b) Support the National Bureau of Standards programs for.
development of reference standards and reference methods for nuclear material measurements.
(c) Develop measurement techniques for estimating quantities of SSNM held-up in process equipment, piping, and work stations.
(d) Develop and demonstrate on-line measurement equipment for application to process monitoring.
(e) Provide improved methodology for calibrating and monitoring measurement systems.
(f) Develop verification techniques for waste stregm measurements.
(g) Continue the development of NDA applicable to the commercial nuclear fuel cycles.
(h) Characterize the behavior of systematic errors and their effects in the fuel cycle and develop improved statistical techniques for treating them.
(1) Refine the statistical methodology for propagating measurement errors.
(j) Continue publication of the results of the above developmental projects in NUREG reports to transfer measurement and measurement control technology into licensee applications.
Management Control The subjects of (1) organization; (2) delegation of authority; (3) audits; and (4) personnel selecting, training, and qualifying are
V-27 treated under the general heading of Management Control. With the exception of item (4), these elements have a firm base in the current regulations. The Task Force believes that the importance of and the 4
specialization required for implementation of the safeguards program i
dictates that provisions be made in the requirements for safeguards i
training in'the areas of material control and material accounting.
Short-Tenn Improvements - The Task Force believes that the effectiveness of implementation and enforcement of the regulations pertaining to the organization plan and delegation of authority can be improved through clarification of NRC's intent on these matters.
Therefore the Task I
Force recommends that:
j R5-ll(a) NRC clarify the intent of the regulatory requirements concerning the organizational plan and delegation of authority through the development of regulatory guides.
(b) NRC give consideration to standardizing safeguards training of licensee personnel with major material control and material accounting responsibilities.
(c) NRC establish minimum standards for position descriptions for key material control and material accounting per-sonnel and require upgrades where appropriate through changes in licensee Fundamental Nuclear Material Control plans.
The personnel considered should include material custodians and individuals assigned responsibility for vigilance over material in process, attesting to the validity of intraplant transfers, the measurement control program, statistical analysis, and the non-destructive assay program.
--g,.
m m,
V-28 The regulatory base provides for yearly audits and reviews of the material control and accounting programs and for audits of the material records. These requirements have been strengthened at some facilities where material control and material accounting practices have needed improvement. Conditions have been added to these licenses requiring audits to be performed four times a year.
The Task Force feels that an increased audit frequency has been beneficial sufficiently to merit requiring it of all major licensees. Therefore the Task Force recommends that:
RS-ll(d) Phase 1 of the proposed upgrade rule include a require-ment for random audits three times per year.
(e) A regulatory guide be developed addressing the frequency, scope and conduct of material control and accounting audits.
In addition, the Task Force recommends that:
RS-11(f) The proposed upgrade rule, phase 1, include criteria for selecting, training, and qualifying key material control and material accounting personnel.
(g) A NUREG report be developed to assist licensees in planning their personnel selection, training, and qualification program.
Long-Term Improvements - The Task Force identified no long-term improvements for management control.
Security of Records Two aspects of security have been considered under this topic. The first deals with protecting against the destruction or alteration of
l l
l l
V-29 t
records. The second pertains to limiting access to information that is not available in the public domain about specific material forms, locations, and quantities in a facility. The current regulations do not directly address security of information, but some is provided through National Security Information requirements applied at certain facilities.
The pending rule covering classification of safeguards information would provide some additional security.
Short Term Improvements - The Task Force recommends that:
RS-12(a) Ongoing NRC staff efforts related to classification of safeguards information be completed expeditiously.
Long-Term Improvements - The Task Force recognizes the vital role of a system of records in material control and material accounting. There-fore the Task Force recommends that:
RS-12(b) NRC perform a study to establish performance criteria l
for a system of records and for their protection against falsification and destruction adequate to meet the proposed material control and material accounting goals.
(c) Phase 2 of the proposed Upgrade Rule (1) provide minimum i
specifications or capabilities which licensee records 4
1 systems must achieve to meet the proposed material control and material accounting goals and (2) require that access to the record system be limited to those with need to know.
i
f V-30 NRC Program Upgrades i
The remaining goals in Chapters Three and Four fall under three topics:
IAEA Support, NRC Monitoring, and Public Information. The responsibility for defining and administering programs in these three areas rests primarily with NRC.
4 IAEA Support 1
The NRC has a commitment under the amended Atanic Energy Act of 1954 to i
support the U.S. arrangements made with the IAEA. The main activity at 1
i present pertains to implementation of the pending US-IAEA agreement for safeguards that is centered on material accounting with support from containment and surveillance. A regulatory base is nearing completion l
for implementing the US-IAEA agreement at licensed facilities. The Task i
Force has no specific recommendations in this area other than goal i
]
MA 22, which is restated below:
I R5-13 NRC should provide material accounting information to IAEA in conformance with IAEA requirements and should ensure that safeguards of applicable licensed facilities conform to IAEA requirements.
NRC Monitoring The Energy Reorganization Act assigned to the Office of Nuclear Material Safety and Safeguards the specific function of monitoring internal accounting systems for special nuclear material. The Task Force has i
a.
-,.n-.-,-
re,
-n
-en,
---r-
-u n---
l V-31 l
recommended goals (MC 16, MA 12, and 17) for NRC to monitor shipper-receiver differences, inventory differences, and the overall effective-ness of safeguards across the fuel cycle.
In order to achieve the proposed goals, the Task Force recommends that:
R5-14 NRC continue to develop and use monitoring and evaluative I
capabilities to assess trends, biases, cumulative effects, intraplant relationships, and the effectiveness of the safeguards program for strategic special nuclear material in the fuel cycle.
j The section of Chapter Six entitled "Information Flow and Analysis" contains recommendations for improving the information base supporting such monitoring.
Public Information l
The Task Force has recommended as an assurance goal (MA 21) that the
{
public be provided with reports containing information on the status of j
strategic special nuclear material across the fuel cycle. These reports a
should provide assessments of material control and material accounting f
data. One report on inventory differences (Ref. V-6) has already been prov!ded to the public and the Office of Inspection and Enforcement is i
plannin; publication of a periodic report.
The Task Force recommends that:
i i
i
_c...
,.n
~...
V-32 R5-15(a) NRC continue to provide the public with periodic reports containing information on the status of strategic special nuclear material.
(b) NRC develop an increased capability to respond to public inquiries.
The Task Force believes the NRC should give greater visibility to the assurance provided by the overall safeguards program. Therefore the Task Force recommends that:
(c) NRC maintain an ongoing effort to apprise the public on the effectiveness of the safeguards program.
Relationship of Goals and Upgrades The upgrading actions recommended in this section were developed directly from a consideration of the goal statements in Chapters Three and Four.
Since some goals within each chapter are related and since there is overlap between the material control and material accounting systems, there is not a one-to-one correspondence between the goal statements and the reconinended upgrades. The upgrade actions correlate with the goal statements as indicated by Table V-2.
t
l 1
V-33 Relation Between Goals and Proposed Upgrades Table V-2 Goals High Priority Regulatory Upgrades MC3, MC8, MC9, MC10. MC11,f1C14, Process Monitoring MC15 MC3, MC8, MC9, MC10, MC11, MC12, Item Control MC13. MC15, MA8, MA9 MC3, MC4, MCS, MC6, MC7, MC11, Custodial Control
.MCIS, MA3, MA8, MA9 HC6, MA3, MA13 Measurement Verification Goals Other Priority Regulatory Upcrades MA6. MA7, MA8, MA9, MA14 MAIS Material Balance Accounting MA4, MAS, MA10, Mall Shipper-Receiver Evaluations MA16 Scrap Control MA16, MA19 MA20 Measurements MC2, MC7, MA3, MA18 Management Control HC1, MA1, MA2 Security of Records l
Goals NRC Program Upgrades MA22 IAEA Support MC16, MA12, MA17 NRC Monitoring MA21 Public Information i
Current, Development Programs Introduction s
NRC's current development programs for material control and material i
i accounting can be separated into the following four categories:
(1) development of improved evaluative methodologies related to material control and material accounting, (2) development of new approaches to performing material control and material accounting operations, (3)
I
't 1
V-34 development of new techniques for analyzing material control and material accounting data, and (4) development of improved measurement and measurement quality control techniques.
Each of these four cate-gories of the current development program will be summarized in this section. More detailed discussion of the programs may be found in certain sections of Chapter Six.
Evaluation Methods In Chapters Three and Four the Task Force proposed goals for material control and material accounting in terms as specific as possible and J
discussed the capabilities of current safeguards systems relative to these goals.
The judgments regarding current capabilities were based on 1
j a thorough review of the existing regulatory base, the Task Force's professional judgment and experience, preliminary drafts of special I
reports of recent NRC (and NRC contractor) on-site assessments, and on records of the inventory differences and measurement uncertainties currently incurred at licensed facilities.
In the course of developing judgments regarding goals and current capabilities, the Task Force was aware of the acute need for further development of systematic evaluation nethodologies for determining safeguards adequacy.
In the beginning of this chapter, the section on integration of material control, material i
accounting, and physical security systems into a cost-effective safe-i guards program further reflects the need for improved evaluation nethodologies.
I I
i
V-35 One should not infer that less than complete development of evaluation l
l methodologies has led to ineffective safeguards.
In fact, the-lack of 1
sophistication in evaluation methodologies may have resulted in increased conservatism on the part of the regulatory staff which has had to base its evaluations to a considerable extent on professional judgment.
Improved evaluation capabilities should provide a capability to validate the adequacy of current proposals for upgrading material control, material accounting, and physical security on a more quantitative and objective basis. This would result ideally in optimization of the use of available safeguards resources, and could reduce demands on individual portions of the safeguards program.
i l
Attributes A set of evaluation methodologics should be available which possesses the following general attributes:
A-1 Capability of assessing the adequacy of a material control and i
material accounting systems to meet the goals specified in j
i Chapters Three and Four.
A-2 Capability of assessing whether an integrated safeguards program provides a desired level of redundancy and diversity, i
and of assessing tradeoffs.
A-3 Capability of assessing vulnerability against a spectrum of defined threats.
A-4 Capability of meeting the needs of both licensees and NRC.
A-5 Capability of assessing safeguards for current operating i
facilities and those anticipated in the foreseeable future.
h
V-36 A-6 Capability of providing confidence in the adequacy of the results produced using the metholodogy.
A '!
Capability of meeting user needs with respect to ease of use and allocation of resources.
Evaluation Techniques - This section discusses four evaluation tech-niques that currently address, to varying degrees, material control and material accounting.
These techniques include the Comprehensive Evalua-tion Program (in current use by NRC), Diversion Path Analysis (under development for the Department of Energy by the National Bureau of Standards), the Material Control System Assessment Procedure (under development for NRC by Lawrence Livermore Laboratory), and Analysis of Safeguards Vulnerability to Collusion (under development for NRC by Science Applications, Inc.).
In order to assess the utility of these techniques, they have been compared in Appendix E to the evaluation methodology attributes pre-sented in the preceding section. The results are summarized in Table V-3.
In constructing Table V-3 the evaluation methodologies were rated in terms of the Task Force's assessment of whether of not they possessed or could be slightly restructured to possess each of the attributes presented.
It should be understood that no one methodology can be expected to rate highly in all categories and that a methodology which rates highly in
TABLE V-3 CANDIDATE EVALUATION METHODOLOGIES VS. ATTRIBUTES (From Table E-1 of Appendix E)
Material Material Integration Adequacy. Ease of Control Accounting of Threat User Facility of Use --
Evaluation Methodology Assessment Assessment Safeguards Spectrum Needs Types Resul ts Econom,v_
Comprehensive Evaluation Program (currentlyin use)
Very Good Very Good Good Very Good Fair Very Good Fair Fair Diversion Path Analysis Good Good Poor Very Good Good Very Good Fair Poor Material Control System Assessment Procedure Very (LLL)
Fair Fair Good Very Good Good Good Good Fair y
b Security Force Collusion (SAI)-
Fair Poor Very Good Good Fair Very Good Fair Good r
V-38 only a few categories can be effective in specific situations. None of the methodologies considered was designed to have all the attributes recommended by the Task Force. The following is a discussion of the utility of proposed evaluative methodologies in assessing the degree to which facility safeguards systems can meet material control and material accounting goals.
Comprehensive Evaluation Program (CEP) - The Comprehensive Evaluation Program (Ref. V-7) is a combination of four different evaluative tech-niques; the Material Control and Accounting Assessment and the Diversion Path Survey, which address material control and material accounting, and the Physical Security Assessment and the External Assault Appraisal, which address physical protection. These techniques were developed early in 1977 at the Commission's request and have been used to assess four major SSNM facilies.
The Material Control and Accounting Assessment (MCAA) is designed to examine, in detail, the capability of a facility's material control and material accounting systems to detect the loss of five formula kilograms of SSNM and to provide assurance that no such loss has occurred.
The elements considered by the technique include:
the item control system, the shipper-receiver control system, the record system, the process control system, the measurement and measurement control systems, and the statistical and material balance analysis system.
V-39 The Diversion Path Survey (DPS), based on a technique developed by NRC
~
and the National Bureau of Standards,.is primarily oriented toward an analysis of the vulnerability of the material control system to theft or-
-diversion by an insider or by a conspiracy. The survey consists of a systematic determination of the locations in which SSNM is accessible for theft and the construction of possible adversary action sequences (diversion paths) which could be employed to remove the material from controlled areas in'the facility.
It also determines the role that documentaion and system checks and balances play in hindering a diver-sion or conspiracy.
MCAA and DPS in combination in the CEP are very well oriented toward I
assessing the capabilities of current facility types to meet material control and material accounting goals over a wide spectrum of threats.
However, they meet only a limited number of user needs and only a limited number of the criteria to enst,re adequacy of results. The techniques are costly in terms of staff time and licensee impact.
Diversion Path Analysis (DPA) - Division Path Analysis is the name given to a structured procedure developed by the National Bureau of Standards (NBS) for the Department of Energy (DOE) (Reference V-8).
This procedure enables the evaluator to systematically consider methods (paths) by which special nuclear material (SNM) can be covertly removed from its
f
.V-40 authorized location in a facility.
It considers various methods by which a removal could be concealed and identifies operational procedures or safeguards mechanisms necessary to detect such diversion attempts.
,l~
i DPA deals predominantly with those insiders who h' ave hands-on access to material and/or records, but also directs consideration to other personnel who.may be in the area. By. forcing a detailed and systematic, although
.i.
judgmental, examination of the facility, assurance is gained that all i
diversion paths within the scope of the analysis have been considered.
i DPA is well oriented toward assessing the sort of material control and material accounting capabilities set forth in the Task Force goal statements considering the various threat attributes of interest.
It meets a number of user needs and handles most facility types of interest.
It is not strong in its consideration of integrated safeguards; pro-l visions to assure adequate, consistent results; and economy of use of i
resources.
4 Material Control System Assessment Procedure (MCAP) - Development of a systematized means'to determine the effectiveness of material control systems is the major thrust of the work sponsored at the Lawrence i
- Livermore Laboratory (LLL) by the NRC (Reference V-9).
The approach i
)
assumes future regulations to be performance-based.
It is further assumed'that the tools developed must be useful to license applicants i
t i
9
.,,,. - -, -. -. ~
,.,,.,. - - - - -,. - -. - - - - -. -, + - ~ _ _,, _ -.,..., - - - - -
,,,----.-,v--
,-r..v.,
V-41 and to NRC. A licensee may be able to use the tools during design of his safeguards program. The NRC should be able to use the tools to develop new methodologies, to evaluate license applications, and to assist in inspection and enforcement processes.
The LLL has been charged with the task of developing assessment tools and procedures, a data base from which assessment information can be drawn, and a format for licensees to follow in preparing submittals, thereby making assessment straightforward.
This approach is in the developmental stage.
MCAP is to be oriented to evaluation of the sort of material control and material accounting capabilities developed in Chapters Three and Four.
It is intended to consider the integration of material control, material accounting, and physical protection safeguards systems, to meet user needs; to provide confidence in the adequacy of results, and to deal with the requisite spectrum of threats. MCAP will be oriented toward dealing with the types of facilities of interest to NRC.
Reasonable ease of use and effective utilization of analysts' time are development objectives for the project.
Security Force Collusion Methodology - The Science Applications, Inc.
(SAI) Security Force Collusion (SFC) technique (Ref. V-10) is not oriented toward evaluating many of the elements of the material control
V-42 and material accounting systems.
Nevertheless, it has been included in this discussion because it provides a good analysis framework for inte-gration of material control and physical protection safeguards against collusion.
The SAI methodology consists of analyzing both physical protection and selected material control safeguard elements in terms of the individuals who are in a position to degrade their effectiveness.
The safeguard components also are represented in terms of their location within the facility. The methodology then analyzes paths to the facility boundary from locations where SNM is accessible, determining the individuals who control the safeguards along these paths.
By considering the individuals responsible for safeguards components along a path, it is possible to identify a conspiratorial group of individuals who could most effectively degrade safeguards. When all such candidate paths for theft are analyzed, the method locates and lists the paths most vulnerable to collusive theft by any specified group of employees and yields a measure of the vulnerability of the remaining safeguards along the path.
Since the methodology considers both physical protection and selected material control safeguards elements, it provides an integrated safeguards approach to the analysis of facility vulnerability to collusion.
k Sunnary The evaluation methodologies under development are more complementary than competitive.
Each has its own strengths and weaknesses as the
f V-43 previous discussion indicates. The various methodologies have been developed for different purposes, none of which has been oriented toward the specific material control and material accounting goals developed in this report. Nevertheless, in combination the methods have the potential to possess all the attributes discussed. The Task Force recommends that:
R5-16 NRC develop an evaluative program encompassing a broad set of assessment methodologies, with the goal of incorporating, in a consistent manner, evaluation attributes A-1 through A-7.
The Task Force believes that a considerable portion of this task can be accomplished by combing existing evaluative techniques, with appro-priate modifications, and evaluative techniques under development.
New Approaches to Material Control and Material Accounting There are three current development programs that may provide alternative means of attaining material control and material accounting goals. These are studies concerning safeguards use of process control and quality control data, controllable unit accounting, and rapid nuclear material control systems. The purpose and status of each program will be l
discussed briefly with appropriate references to more detailed discussion of the underlying concepts in other parts of the report.
V-44 The study on possible safeguards use of process and quality control data is intended to evaluate the potential safeguards utility of measurement data currently generated by licensees for process and quality control reasons. This study may be useful in determining licensees' capabili-ties to meet a number of goals proposed by the Task Force ar.d the impact of regulatory requirements imposed upon licensees to meet those goals.
This project has been identified in the FY 78 budget submission but has not been initiated.
A study on controllable unit accounting is intended to develop and
{
assess a technique for dividing licensee production operations into units to improve certain material control and material accounting capabilities. The basic concept of controllable unit accounting is the conversion of measurement uncertainty around a process or a portion of a process (the controllable unit) into a numerical measure which repre-sents the degree of accountability control which can be attained with a specific processing and measurement system.
This concept makes it possible to partition a process into specific controllable units whose size and throughput depend upon the degree of control required for safeguards purposes.
The controllable unit concept hns been computer simulated for a hypothe-tical high-throughput fabrication plant (Reference V-ll). The model d
_ ~.,
g
,-n-
l i
l j
V-45 l
l indicates that the technique is quite useful in providing rapid (but not highly precise) checks for material loss while preserving the capability to perform much more sensitive but less timely checks. The-method is also capable of assessing benefits which may be achieved by additional process measurement points or increased measurement frequencies vis a vis their associated costs.
It should be understood that these benefits apply only to the controllable units themselves.
That is, this technique will not, in and of itself, decrease the total measurement uncertainty 4
around a plant or process. Thus, while it increases detection sensitivity I
for a loss from a single controllable unit and assists in localizing losses, this technique will not detect a combination of small losses which could add up to a significant quantity of material and which are distributed i
among a large number of controllable units.
This program is sufficiently well developed to justify a pilot application in an operating plant.
The Task Force believes that controllable unit accounting has the potential to make a significant contribution to the achievement of a number of the proposed material control and material accounting goals in the long l
I Controllable unit accounting is discussed further in Chapter Six term.
under " Rapid Material Control."
Under Department of Energy sponsorship, tSe Los Alamos Scientific Labora-tory (LASL) is developing a "model" rapid nuclear materials control i
~,, _ _... _ _, _. _ _, _ - -. _
n V-46 l
system, called DYMAC (for Dynamic Materials Control) (Reference V-2).
The system, under development at the Plutonium Process Facility'(TA-55) at LASL, consists of a plantwide surveillance system and a network or on-line non-destructive assay (NDA) measurement and verification instruments interfaced to a computerized materials accountability and j
control system.
DYMAC incorporates the following key elements:
(a)an in-line and at-line measurement system relying heavily on newly developed NDA instruments to provide "real-time" quantitative assay data at key measurement points, (b) direct automated transfer of data from the plant' r
floor into a central computer via interactive display terminals. at selected measurement stations, and (c) an automated accounting system to provide rapid status on material balances around " unit processes,"
defined on the basis of process logic and material residence time in the process, and accessibility for measurement.
The current Department of Energy schedule projects a completion date of December 1979, for the assessment of the practicality of the DYMAC system at the TA-55 plutonium facility.
Considering this schedule, the prototype nature of the DYMAC system, the lead time required for tech-nology tran-fer, and system costs, the Task Force does not believe that significant portions of the DYMAC system will be in use in the. commercial nuclear industry during the time period considered in this report.
Therefore DYMAC or similar systems are not expected to have meaningful
V-47 impact upon licensees' abilities to meet the proposed material control and material accounting goals presented in this report.
Rapid material control systems are discussed in further detail in Chapter Six and recommendations are made there.
New Techniques for Analyzing Data There are three development programs which currently are being' sponsored to provide new techniques for analyzing material control and material
{
accounting data. One of these is a program to provide statistical i
analysis packages to the NRC and licensees for their use in analyzing material control and material accounting data.
The other two programs are a time series analysis study and a study of the implications of strategic analysis.
The first of these is designed to present a set of statistical analysis i
techniques, including a discussion of such topics as the power of the statistical test, the individual confidence from a negative test that no i
loss has occurred, the probable amount and process location of a loss for a positive test, and comparisons to other candidate statistical tests. The statistical tests not only will address plant statistics j
such as inventory differences and their limits of error but will also f
address specific in-plant processes.uch as conversion of UF to U 0 '
6 38 This set of statistical packages is scheduled for completion by the end of FY 78 and should prove useful to licensees and NRC in using process
V-48 control data to meet the material control goals proposed by the Task Force.
t f
The basic concept of time series analysis in the context of material accounting is that analysis of the properties of a time ordered series of inventory differences can provide a better assessment of the signi-ficance of inventory differences, and improved detection of continuing e
losses of small quantities of material. A number of candidate analysis techniques of this type are under investigation.
These include the statistical analysis of cumulative inventory differences (CUSUM), a number of minimum variance unbiased estimation (MVUE) techniques (Kalman Filtering and Minimum Variance Inventory Estimates), and Box-Jenkins l
modeling. Until FY 78, the time series analysis program has largely concentrated on CUSUM and MVUE techniques, particularly Kalman Filtering (ReferencesV-12andV-13).
The FY 78 NRC development program with Oak l
Ridge National Laboratory is oriented toward an analysis of Box-Jenkins modeling and the documentation of extant software for transfer to NRC analysts. The basic techniques involved in time series analysis and a comparison of the detection capabilities of the CUSUM and MVUE techniques will be presented in the discussion of time series analysis under "The Analysis of Inventory Differences" in Chapter Six and in Appendix 0.
l t
The Task Force believes that many of these time series analysis techniques may be useful to NRC in meeting its responsibility to monitor and analyze l
i
_ -. - _ = _ - _ _ -
V-49 licensee material control and accounting performance on an individual l
inventory period and on a cumulative basis. However, the Task Force feels the analysis techniques must be applied with great care. A demon-stration of their capabilities will be necessary before recommendations are proposed for required licensee use.
i Another complementary approach to data analysis involves strategic l
analysis. The basic concept of strategic analysis is to model safeguards in a competitive environment containing a safeguards defender and an adversary.
It formulates the safeguards problem as a series of actions (moves) by the safeguards defender and the adversary. These actions result in varying costs and benefits to each, depending upon the actions taken. The analysis then makes use of the theory of games to develop optimum strategies for both the adversary and the safeguards defender.
l The advantage of such an analysis technique is that the safeguards defender is using the optimum means to protect against any actions the adversary might take, to the extent that formulation of the problem is consistent with realistic adversary and defender motivations, costs, benefits, and actions. Critics of the technique contend that the defender 1
must make decisions based on assumed or projected knowledge about the l
adversary, his strategy, and his motivation.
4 Present studies (Reference V-14) have been limited in scope to the application of strategic analysis to material accounting action and
V-50 cantrol limits.
Efforts during FY 78 will be limited to sensitivity analysis of the existing model.
The Task Force believes that some of j
the results from strategic analysis are interesting and that, this tech-nique might be useful to NRC in its planning and monitoring function.
However, the Task Forr u does not believe that this effort has progressed e
to the point that it udels the material accounting safeguards problem in sufficient depth for near-term application.
i Since the analysis technique is based upon a sophisticated mathematical j
approach and has caused considerable controversy among the NRC staff, l
the Task Force believes that it merits a more detailed review than our l
time contraints have pennitted. Therefore, the Task Force recommends j
that:
l RS-17 A peer review group consisting of individuals knowledgeable about strategic analysis (game theory) and safeguards be established to assess the utility of strategic analysis for safeguards in general and for analyzing inventory-l difference and other material acccunting data in particular.
l Measurement and Measurement Quality Control 1
l The current development programs related to improved measurements and measurement quality controls can be grouped into the following two categories:
(1) programs designed to develop and promulgate standard i
procedures for the calibration and use of destructive, nondestructive, and bulk assay systems, and for the estimation and propagation of I
associated measurement uncertainties; and (2) programs designed to l
assist NRC in monitoring licensee measurement and measurement control programs.
4
- - -,. - _ - -. ~ - - -., - - - -,.. -. -,.. -...-,.- - - - -, - - - -. - - - - - -. ~ -
~
e----
(
l l
V-51 In addition to the more sophisticated material control and material accounting methods and data analysis procedures discussed previously, material control and material accounting loss detection sensitivity can be improved by simply improving measurement techniques and measurement control programs.
Recent material accounting assessments by NRC and l
several studies of lic'ensee material accounting programs (References V-4, i
V-15 and V-16) have indicated that improvements in this area are l
within the state of the art at relatively low costs. NRC has a number i
of on-going development projects in this area whose FY 78 and FY 79 products will be the development of coordinated measurement assurance j
programs, standardized operating procedures and calibration techniques I
for nondestructive assay, a safeguards measurement handbook which l
I j
covers all destructive, nondestructive, and bulk measurement techniques used for nuclear material, NUREG documents on accountability methods and l
l on the preparation of working calibration and test materials, and an empirical study of systematic errors. These projects are discussed in
)
Appendix C.
1 i
Measurements and measurement quality control are vital to both the l
material control and material accounting systems. Recent NRC assessments
't andstudies(ReferencesV-4,V-15andV-16)foundroomformakirs j
improvements in this area.
Further, monitoring of Ilcensee capabilities in this area is vital to NRC's assurance function. NRC's current pro-grams in this area consists of support for four nondestructive assay I
l i
a
V-52 vans assigned to the NRC Regional Offices and support for independent I
laboratory analysis performed for NRC by New Brunswick Laboratory.
i Because of their importance in carrying out material control and material accounting roles, the Task Force feels that these programs should be accorded a high priority when material control and material accounting j
technical assistance requirements are considered. Therefore, the Task Force recommends the following:
R5-18 Current development programs for improving licensee measurement systems and measurement control programs should be accorded a high priority within NRC's research and technical assistance programs.
Summary Approach This chapter presented a blueprint for upgrading material control and material accounting systems.
It began by describing the scope of an integrated safeguards program. The chapter next defined a program of short-term and long-term upgrades based on a grouping of the material accounting and material control goals into "high priority regulatory upgrades," "other regulatory upgrades," and "NRC program upgrades."
Then a discussion was presented on evaluation methodologies, a necessary ingredient of a meaningful quantified goal-oriented safeguards program.
Finally, the chapter examined these areas of NRC's current development program and their potential contributions to the material control and material accounting systems envisioned by the Task Force.
V-53 Conclusions and Recomendations The Task Force believes there is a need for a program to define specific quantified goals for an integrated safeguards program, and to monitor safeguards programs in terms of these goals.
In this report, the Task Force has recommended upgrades specific to the material control and material accounting systems. Although quantified goal. for the total program could result in additional requirements for in-depth protection and trade-offs with the physical security system, the Task Force believes that the relative priority given to material control and material account-ing upgrades in this chapter are basic.
NRC should give highest priority to developing regulations and guides that will enable material control to make a greater contribution to safeguards by providing greater timeliness and sensitivity in detecting l
and assessing material losses.
This conclusion has resulted in several high priority recomendations, as shown in Table V-4 which summarizes the recomended upgrades. The Task Force also places priority on several upgrades related to improving material measurement capabilities, to licensee safeguards management control, and to record security.
Priority upgrades are recommended for internal NRC programs.
Both short-term (18 to 24 months af ter acceptance of the recomendations) and long-term (up to 5 years) recommendations have been made. The Task Force recognizes that codification of a goal-oriented program is a long-term effort, which may require several years to complete.
V-54 Several upgrades call for the development of regulatory guides to provide-licensees with specific guidance regarding implementation of the Task Force's goals. This upgrade will require revision of NRC's regulatory guide program in the area of safeguards.
The Task Force identified the attributes needed for evaluation methods to support goal-oriented material control and material accounting programs. The Comprehensive Evaluation Program, Diversion Path Analysis, Livermore's MCAP, and SAI's SFC techniques provide important complementary evaluative capabilities. The Task Force recommends continued development of these projects, with their objectives oriented toward the goals, 1
programs, and upgrades endorsed by the Task Force.
As a result of the review of the current development program, the Task Force finds considerable potential in the Controllable Unit Accounting Program, NRC's development program for improving measurements systems and measurement control, and NRC's program for independent measurement I
and analysis using IE assay vans and outside laboratories.
l
TABLE Y-4 Sumary of Regulatory Upgrades Action To Obtain Goals:
Element Short-Term Long-Term Regulatory Upgrades MC3 MC8. MC9, Process Monitoring Require licensees to utilize Program for developing and High Priority available monitoring techniques testing methods for utilizing MC10. MCII, MC14, process information MC15 Full implementation of goals thru revised regulatory base (including guides)
MC3, MC8. MC9 Item Control Implementation of item control Develop secure and automated MC10. MC11. MC12, goals storage of items M13 MCIS, MA8, mag MC3, MC4. MC5, MC6, Custodial Control Implementation of custodial MC7, MCll, MC15, control goals.
Vulnerability analyses MA3,PtA3, MA9 Regulatory Guides c
MC6, MA3, MA13 Measurement Verification At least interim measures for Final measures for measure- &
verification of waste discard ment verification measurements Verification of transfer measurements 02her Priority Regulatory Upgrades MA6. MA7, MA8, Material Balance Accounting Improved traceability of accounting Develop regs. for loss detec-MA9, MA14, MAIS information tion in accordance with Task Force goals Licensee develop plans for inventory. Add ID action levels to on demand regulations Regulatory Guides re ID, losses Determine action limits for CID 11pproved error propagation
. Regulatory Guides and reports a
TABLE V-4 Surmnary of Regulatory Upgrades (cont'd)
Action To Obtain Goals:
Element Short-Term Long-Term Other priority Regulatory Upgrades (cont'd)
MA4, MAS, MA10 Shipper-Receiver Evaluations Clarify regulatory intent of Codify " goals" Mall shipper / receiver reconciliation NRC closely monitor S/R differences MA16 Scrap Controls Continue current site specific Full implementation of goals practices thru revised regulatory base MA16, MA19 MA20 Measurements Full implementation of existing Broad based measurement 1
70.57 enhancement program MC2, MC7, MA3 Management Control Regulatory Guides and reports MA18 0,
Standardized training NRC review of position descriptions Increase audit frequency MC1, MA1, MA2 Security of Records Implement ongoing staff efforts Develop standards for related to classification of protection of records safeguards information NRC Program Upgrades MA22 IAEA Support Conformance with IAEA requirements Same MC16, MA12, NRC Monitoring Establish program to assess trends.
Same MA17 intraplant relationships, safeguards effectiveness 1
MA21 Public Information Progra:a of regular reporting Same
V-57 References - Chapter Five V-1 Lumb, Ralph, et al., Ad Hoc Hoc Advisory Panel on Safeguarding Special Nuclear Material, Report to the Atomic Energy Commission, March 4, 1967.
V-2 Energy Research & Development Administration, Master Plan, ERDA-76/122, Division of Safeguards & Security, September 1976.
V-3 U.S. NRC Proposed Rule, Federal Register, Vol. 42, No.128, pp. 34310-34326, July 5, 1977.
V-4 May, Erick, et a'... " Summary Results of Material Control and Accounting Assessments - 1977 Comprehensive Evaluation Program,"
Internal NRC Report (Confidential), November 1977 (Draft).
V-5 Schneider, R. A., Battelle Pacific Northwest Laboratories, "The Safeguards Roles of Physical Protection and Material Accounting,"
(Comunication to AEC), April 1973.
V-6 U.S. Nuclear Regulatory Commission, Report on Strategic Special Nuclear Material Inventory Differences, NUREG-0350, August 1977.
V-7 U.S. Nuclear Regulatory Commission,1977 Comprehensive Evaluation Plan (Fuel Cycle Facilities with SSNM).
Revised draft, March 4, 1977.
V-8 Maltese, M., Goodwin, K., Schleter, J., Diversion Path Analysis i
Handbook (Prepared for U.S. ERDA by National Bureau of Standards), October 1976.
V-9 Preliminary Results and Briefings on the Lawrence Livermore Laboratories Material Control Evaluative Methodology project, September 1977.
V-10 Preliminary Results and Briefings on the Science Application, Inc. Security Force Collusion project, October 1977.
V-11 Seabaugh, P. W., et al., Application of Controllable Unit Methodology to a Realistic Model of a High-lbroughput, Mixed Oxide Fabrication Process (Draf t report prepared for U.S. NRC by Mound Laboratory, operated for DOE by Monsanto Research Corporation), August 1977.
l V-58 V-12 Pike D.
H., Morrison, G. W., Westley, G. H., " Applications of l
Kalman Filtering to Nuclear Material Control," ORNL/NUREG/CSD-1 (Prepared for U.S. NRC by Oak Ridge National Laboratory),
i October 1977.
i V-13 Stewart, Kirkland B., " Minimum Variance Unbiased Estimators of Loss and Inventory Amounts," Battelle Pacific Northwest Labora-tories, September 1977.
l V-14 Siri, W.
E., et al., A Study of Nuclear Material Accounting Vol. I, NUREG-0290, (Frepared Tor U.S. NRC by Lawrence BerkeTeyLaboratory), April 1977.
V-15 McSweeny, T.
I., et al., " Summary of Findings Evaluating Material Accounting Losses at Four Licensed Facilities,"
Battelle PNL Report for the NRC, November 1977 (Draft).
V-16 Siri, W.
E., et al., A Study of Nuclear Material Accounting l
Vol. II and III, NURE6-0290, IFrepared for U.S. NRC by Lawrence Berkeley Laboratory) April 1977, i
l l
_.. =.
i L
l I
i I
\\
i i
}
t i
d i
}
1 l
(
1 1
CHAPTER SIX SPECIAL ISSUES i
1, i
t 1
i.
4 l
I s
L f
4 1
i
)
4
(
l 4
5 1
1
(
h b
4
i VI-1 l
Introduction r
Throughout the deliberations that formed the bases for Chapters One through I
Five, certain issues frequer.'tly entered into the Task Force's discussions.
i These issues became a part of the decision making process that led to the i
overall program recommended in this report, In addition, the Task Force was requested to make recommendations on specific issues of concern to the l
Division of Safeguards.
The Task Force decided to devote this chapter of i
i the report to the analysis of these issues, six in number.
l The first three issues are directly related.
" Action Criteria for i
1 Inventory Differences," " Material Dalance Area Accounting," and "The
.)
Analysis of Inventory Differences," all relate to material accounting and to its primary function of assurance.
Each of them deals with confirma-l tion of material status, an assurance measure, and each focuses on the i
I ability of the material accounting system to verify the presence of I
material, detect anomalies, and provide assurance that safeguards have been offective.
" Action Criteria for Inventory Dif ferences" (ID) provides i
{
specific recommendations for NRC's and licensees' reactions to ID.
"Haterial Balance Area Accounting" addresses a specific technique often I
suggested (and recommended by the GAO) as a means to improve the sensi-l tivity of material accounting data and the control of ids.
The Task 4
{
Force's discussion recommends an implementation of this technique under I
i f
VI-2 certain conditions.
"The Analysis of Inventory Differences" describes the statistical basis of ids, discusses the analysis of ids for trends, and recommends a program for 10 analysis in the future.
The fourth issue is " Rapid Material Control," as provided by "real" or "near real-time" material monitoring and measuring systems.
It has been suggested by some experts as a solution to some of the problems found today in material control and material accounting systems.
Rapid material control techniques are now under development by both DOE and NRC.
This chapter briefly discusses the concepts of rapid material control and identifies their potential role within the program proposed by the Task Force.
In the fifth issue, the Task Force has addressed a complicated subject, collusion, that presents a special safeguards problem.
Collusion among employees, or between employees and outsiders, against a facility handling SSNM could have a particularly seriously debilitating effect on a safe-guards program, if that program were not designed to protect against collusion.
The Task Force feels that material control and material accounting make a unique contribution to combating collusion.
" Collusion and Material Control and Material Accounting" describes this issue in terms of a conceptual structure and presents some general recommendations.
VI-3 The sixth and final issue addresses a situation that the Task Force has l
identified as a deficiency in the current program, that is, the lack of routine, in-depth analysis by NRC of safeguards data within a' structured, goal-oriented program.
"Information Flow and Analysis" discusses infor-mation collection, dissemination, and analysis practices for material accounting data, and describes the information that must be reported by 4
licensees for the analyses proposed by the Task Force, i
4 i
i i
}
i l
i l
s I
h
VI-4 ACTION CRITERIA FOR INVENTORY DIFFERENCES One eiea examined by the Task Force was current criteria for response to large inventory differences.
This subject was examined in detail with respect to current practices, proposed material accounting goals, and the material quantities of safeguards concern as specified in the NRC " Operating Assumption on Clandestine Fission Explosives," discussed in Chapter Three.
Proposed Criteria
Background
The existence of potential causes of inventory differences, discussed in Appendix D, was recognized at the time current ID action limits were established.
However, these action limits were based solely on measure-ment uncertainties because it was judged that all of the other causes of ids could be and should be controlled to relatively insignificant levels for safeguards.
Otherwise, the assurance provided by material accounting could be seriously weakened.
By using measurement uncertainties as the basis for action, NRC anticipated that licensees would make a substantial effort to minimize the effect of other factors in order to prevent excessive false alarms. Current practices related to action criteria are detailed in Appendix B.
i
.. J
VI-5 General Approach The Task Force believes that its proposed goals for material balance accounting require a different approach for the establishment of action limits for inventory differences and measurement uncertainity than that presently utilized.
Current action limits were derived from a considera-tion of plant throughput quantities without an upper bound on the total quantity of material that may appear as 10.
The proposed goals emphasize i
the control of inventory differences to provide with high assurance the detection of a loss of five formula kilograms of SSNM accessible to theft.
I The Task Force considered the following two objectives for actions following the discovery an excessive inventory difference:
Determine whether a loss of material has occurred and if it has, estimate its magnitude.
~
Determine any factors other than measurement error contributing to j
the excessive inventory difference, take any actions required to prevent their occurrence from distorting the material balance closure around the present period, and take action to prevent their recurrence.
The second objective is especially important for excessive negative inventory differences (apparent gains of material), since these tend to indicate out of-control material accounting situations more than a possible theft of material.
Therefore, the emphasis in this case is toward restoring control to the system and correcting any distortion of the material balance closure.
1
r' VI-6 There are three basic actions which can be taken to acheive the objectives that the' Task Force has set for the examination of Lexcessive inventory differences. -These are:
(1) conducting an investigation, (2) conducting a reinventory using regular inventory procedures, and (3) shutting down q
the licensed operation and conducting a clean-out inventory.
The simplest action is to conduct'an investigation of the excessive inventory difference for cause.
Such an investigation should be compre-1 hensive in nature and include review of process monitoring and other i
pertinent material control information, physical protection information, shipper receiver differences, measurement and measurement quality control data, physical inventory procedures and cutoff information, material transfer and waste discard records, and the bookkeeping ledgers and work-t sheets.
A thorough review at this point is likely to uncover the factors which contribute to most excessive inventory differences and to contribute to their satisfactory resolution.
If.such contributors are found, it is important to determine the degree to which they are reflected in the records of current period transactions and holdings.
i If an investigation is not sufficient to identify the cause of the exces-i sive inventory difference, there is a strong passibility that the problem i
rests with the most recent physical inventory.
In this case a reinventory-4 is required.
Depending on the size of the inventory difference, the 3
_.-y
..w..,
~r y
...m__,y 7-_.,
. >i VI-7 reinventory should be conducted either by the regular inventory procedures y
or by shutting down and cleaning out the process to better measure the amount of material which has accumulated in pipes, ducts, and equipment.
If the inventory difference indicates that there may have been a signifi-cant loss of material, then a clean-out inventory should be required to j
l assess whether the apparent loss of material was due to inaccurate esti-mates of material quantities or incomplete recording of -transactions.
x Investigative Criteria The Task Force believes there should be immediate investigation of all inventory differences which exceed their measurement limits of error.
If the accounting imbalance is no greater than three forrula kilograms, a thorough audit of the measurement, process control and the accounting
~
records should suffice to reconcile the inveritory difference.
Reinventory should be conducted for values greater.than-three formula kilograms.
The Task Force also believes that the material accounting systems should alarm when cumulative inventory differences exceed their associated limits-of error.
Investigation in this case should be oriented toward identifying measurement biases and unmeasured loss streams which, although not signifi-cant during a single inventory period, could cause excessive cumulative inventory differences.
The Task Force believes that a similar investiga-a tion should be conducted if the individual inventory differences comprising
VI-8 a longer term cumulative inventory difference exhibit a trend which is significantly different from zero.
If the investigation of a cumulative inventory difference does not result in the determination of cause, the licensee should contact the appropriate NRC Regional Office for instruc-tions.
These should be provided on a plant specific basis.
As explained later in this chapter, controlling the measurement uncertainty of a material balance below approximately three formula kilograms is required to achieve the Task Force goal to detect the loss of five formula kilograms with high assurance and low-false alarm rate.
Therefore, the Task Force urges alarming the material accounting system whenever measure-ment uncertainties exceed three formula kilograms.* The investigation should include a comprehensive review of measurement and measurement quality control data, and a review of the limit of error calculations.
Reinventory Criteria If the investigation of an inventory difference that exceeds three formula kilograms does not identify the cause within three working days after its determination and the inventory difference is less than five formula kilograms, the Task Force recommends that the plant immediately prepare to "Three formula kilograms results from a false alarm rate set at 5% and a detection probability of 90%.
The Task Force feels that licensees should be given reasonable latitude in establishing a false alarm rate for.their system on a site-specific basis.
9 m
VI-9 conduct another physical inventory.
The plant should begin taking construc-tive action in this regard within one working day.
If the new inventory does not result in resolution of the inventory difference, the licensee should contact the appropriate NRC Regional Office for instructions.
These should be provided on a plant specific basis.
i Shutdown Inventory Criteria The occurrence of a plant inventory difference greater than five formula kilograms for a single accounting period is considered by the Task Force to be reason for serious safeguards concern.
Except for those instances where the cause of such imbalances is identified and quantified within twenty-four hours of ID determination, the conduct of a shutdown-cleanout physical inventory is urged as appropriate investigative action.
A complete audit of the accounting source data and bookkeeping records should be performed as part of the investigative action.
The licensed operation at the plant should remain shut down until the inventory difference covering the period under investigation is reconciled within three formula kilograms, or NRC approves start-up in writing.
For the latter, the plant should satisfy NRC that it has accomplished the following:
(1) determined whether a loss of material has occurred and if it has, estimated the amount and type of material lost, the time and location of the loss and the employees authorized access to the area at i
VI-10 the time of the loss, and (2) determined any other factors contributing to the excessive inventory difference and taken those actions required to prevent their recurrence.
On a plant specific basis, consideration should be given to requiring a licensee to conduct a shutdown-cleanout inventory to provide assurance that unmeasured material holdup is not the cause for cumulative inventory differences exceeding their associated cumulative measurement uncertainties over a twelve month period, if investigative action does not reveal the cause of the problem.
Reporting Criteria Some changes in reporting requirements will be necessary to support the above proposals.
The Task Force believes that for each period in which an inventory difference (individual or cumulative) or measurement uncertainty of a material balance exceeds its control limit, the occurrence should be reported within twenty-four hours to the NRC.
In addition to providing a statement of probable reason and planned action at the time of initial contact with NRC, a licensee should provide, within thirty days of initial contact, a summary report of its findings and action taken.
If an action extends for more than thirty days, progress reports should be submitted every thirty days and a final report should be prepared summarizing the overall investigation.
~
VI-ll Summary of Action Criteria The major recommendations for action criteria are summarized in Table VI-l and compared to current practices.
The Task Force recommends that:
RVI-l The action criteria shown in Table VI-l be adopted by NRC for licensees to follow in response to observed inventory di fferences.
On the basis of the foregoing discussions, the Task Force also recommends that:
RVI-2(a) Periodic reviews be conducted to evaluate the effectiveness of existing action criteria in light of new technology, changes in the perceived threat, revisions in the operating assumption or redirection in safeguards objectives and goals.
(b) NRC take action to examine the underlying statistical assumptions concerning the distribution, analysis, and sequential behavior of ID and CID and, based on this examination, provide licensees with definitive guidance for the statistical analysis of short-and long-term ID.and CID.
Techniques should be sought for identifying action criteria that optimize the cost effectiveness of response actions both in terms of detecting theft and of restoring material accounting control.
These methods should quantitatively incorporate the capabilities of the total safeguards structure (physical protection, material control, and material accounting)-into the determination of the best criteria for specific actions in response to inventory difference data.
n
VI-12 TABLE VI-1 1
ACTION CRITERIA FOR INVENTORY DIFFERENCES CRITERIA BIMONTHLY BIMONTHLY INVENTORY LIMITS OF CtMULATIV[
ACTION TAXEN CURRENT / PROPOSED DIFFERENCES (10)2 ERRORS ON ID (LEID) 10 (CIDI Current lIDi> LEID LEID>.51 T None and Investigate lIDl<0.751 T Proposed lIDl> LEID LEID > 3 Fkg ICIDl> LECID and Or long term trend llDl< 3 Fkg in ICIDl is signifi-cantly greater than 0.
Investigate and begin reinventory Current 0.75%T <pDl< l.0%T N/A N/A 1 mediately Investigate and begin reinventory Proposed 3 Fkg <[IDl< 5 Fkg N/A N/A within 3 days Shutdown and inves-tigate. Reinventory t:ithin 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
Current lIDl>1.0% T
'N/A N/A R:sume operations when lIDi<.75% T tr when NRC approves Shutdown and inves-tigate. Begin clean-out inventory within Proposed ID> 5 Fkg N/A N/A 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Resume operations when 10 < 3 Fkg or when NRC approves
- 1. T = throughput, Fkg = formula kilograms (see glossary),
l jindicates an absolute value, and N/A = not applicable.
- 2. Minimum thresholds of 200 grams of Pu or U-233 grams of HEU must be exceeded before any action is required.
3, Consideration should be given to a shutdown-cleanout inve. tory if the investigation falls to reveal the cause of the problem.
VI-13 MATERIAL BALANCE AREA ACCOUNTING
Background
A recent General Accounting Office (GAO) report (Ref. VI-1) recommended that the Commission change its procedures and monitor the accounting of SNM by individual material balance area (MBA).
GA0 came to this con-clusion after observing that there were large counterbalancing inventory differences for two or more MBAs within some plants while the inventory differences for the " total plant" were small.
The GA0 is concerned that a problem associated with an individual MBA may not be isolated since losses and gains experienced elsewhere in the plant may cancel it out.
The recent Battelle Pacific Northwest Laboratory assessment report (Ref.
VI-2) recommends that licensees be required to establish uncertainty control limits around MBAs which are at least as stringent as the facility limits.
They argue that unless this is done, "one has no mechanism for localizing and thereby identifying sources of loss from a facility." The use of MBAs for the institution of double-entry bookkeeping, assignment of custodial responsibility, localization of losses and establishment of internal checks can be traced to the inception of material accounting for nuclear materials (Refs. VI-3, 4 and 5). MBAs were required first by regulations in 1974.
9
VI-14 The present fundamental nuclear material control' regulations, (Section 70.58 of Part 70, Ref. VI-6), which were published in effective form in 1974, include a number of criteria for the establishment of MBAs.
They are:
MBAs shall be established for the physical and administrative control of nuclear material.
Each MBA shall be an identifiable physical area such that the quantity of material being moved into or out of the area is represented by a measured value.
The number of MBAs shall be sufficient to localize nuclear material losses or thefts and identify the mechanisms.
]
The custody of all nuclear material within any MBA shall be the responsibility of a single designated individual.
These criteria are related primarily to the internal control of-material rather than loss detection.
They are meant to provide sufficiency of material control information, responsibility, vigilance, verification, and localization of losses.
The present regulations require that a system.of records and reports be established and maintained which will provide information sufficient to locate SNM and to close a measured material balance around each MBA-and the total plant.
Furthermore, the measurement uncertainties associated with material balance closures must be controlled on a total plant basis within given specifications.
There is no requirement in the regulations for determining the measurement uncertainty of an MBA material balance, as Battelle Pacific Northwest Laboratory recommends (Ref. VI-2).
At the time
VI-15 the regulations were prepared, there was no data base for establishing-numerical performance requirements for individual MBAs. When action j
criteria were prepared for inventory differences, it was envisioned that
" total plant" control was adequate for the facilities under construction or in operation.
Having. counterbalancing inventory differences in adjacent MBAs does not affect the accuracy of the plant material balance.
It is most often due to an inability to get good internal transfer measurements between MBAs or correct records of all transfers between MBAs.
Discussion of Feasibility Careful design is usually required to structure cost effective, technically i
~
robust, internal material balance systems. -The separation of a plant into a number of MBAs has its greatest utility for loss detection at those
. plants where the overall plant measurement uncertainty is dominated by physical inventory measurements.
Dividing a plant into MBAs will split this uncertainty among a number of areas.
However, if such action results in an increase in measurement uncertainties associated with internal i
transfer measurements, the reduction of uncertainties in the inventory i
measurements may be offset by an increase in uncertainties associated with I
the transfer measurements.
A reduction in overall loss detection effec-tiveness could result.
I h
r
-,.,m-.--.r.,
,e-m.-.-
VI-16 At single-line production plants in which the overall material balance performance is dominated by uncertainties in input-output measurements, the advantage of breaking a plant into a number of MBAs for loss detection is not evident.
Little advantage would be gained by splitting the inventory uncertainty into a number of MBAs.
The throughput of the individual MBAs would be approximately the same as that for the entire plant except for scrap recovery operations.
For the latter, the large uncertainty associated with the measurement of input may be close to that of the main flow of material through the plant.
For these cases, improvement of plant input-output measurements, or more frequent inventories may be more productive for improving loss detection sensitivity.
In those plants where little is to be gained in detection capability by breaking a plant material balance structure into a number of MBAs, such action may still be desired to narrow the field of suspects in case of a theft of material and, as Battelle Pacific Northwest Laboratory argues, increased capability tc localize the source of missing material (Ref. VI-2).
In view of the foregoing discussion, it should be noted that when one considers material accounting alternatives for meeting loss detection criteria, it may be more productive to safeguards, in certain instances, to improve overall plant measurements to meet the plant detection criterion, than to pursue the mutiple material balance route which may be very costly because of a large increase in the number of internal transfer measurements.
VI-17 This is particularly true'for single-line production plants whose measure-ment uncertainty is strongly dominated by input-output measurements.
The Task Force does not envision a need for reinventory in response to individual MBA alarms.
Serious inventory problems should trigger the plant alarms.
Because of a high level of correlation between results of adjoining MBAs, there is usually little utility in separately taking a physical re-inventory and closing a material balance around a single MBA.
However, if there is positive indication of theft or diversion, considera-tion should be given to taking a plant physical inventory.
Conclusions and Recommendations Goal Considerations j
In Chapter Four, the Task Force proposed a material accounting goal that would require the establishment of accounting units (similar to MBAs but physically separated and under controls that would preclude theft by the same adversary from two or more accounting units) within a plant to achieve the desired loss detection capability when the plant-wide accounting
]
system is unable to achieve the goal.
Under this proposal, each such I
accounting unit would have to be structured to meet the five formula kilograms detection criterion.
This provision for allowing the detection goal to apply to accounting units rather than an entire plant was included to provide a detection capability for five formula kilograms in those
VI-18
~
cases where.the detection criterion cannot be met on a plant-wide basis.
However, as indicated in the foregoing discussion, there may be plants, e.g., those having a single.line production operation whose measurement uncertainity is dominated by input-output uncertainty, for which a partitioning into separate accounting units would not increase loss detection sensitivity.
For such plants to achieve the proposal goals, it-I would be necessary for them to redu,ce the total uncertainty surrounding their material balance.
There are several ways this could be done, e.g.,
improving measurement capability, reducing plant throughput, taking more frequent inventories, or installing parallel production lines.
f GA0 Considerations The Task Force agrees with the GAO o'aservation that counterbalancing I
internal inventory differences may weaken the capability of the material' accounting system to localize nuclear material losses or thefts.
If separate MBAs are needed to meet the proposed goals with regard to sen-sitivity to localize losses and to identify loss mechanisms, then meas-j.
urements and accounting practices must also be improved to control i
i internal imbalances within the level of-sensitivity specified for detection in the proposed goals.
i k
i i
r----
,,-----...+y.-~y--.,-
y
VI-19 Based on the foregoing discussions, the Task Force recommends:
RVI-3(a) The establishment of control requirements for measurement uncertainties and inventory differences at the individual MBA level, if required to ensure the desired detection sensitivity and loss assessment capability called for by the Task Force goals.~ Alarm levels should be equivalent to
-those proposed for inventory differences and measurement uncertainties.in the previous section, " Action Criteria for Inventory Differences."
The investigation of all MBA alarms, should MBA level accounting be required, is recommended by the Task Force as follows:
(b) If an investigation does not result in resolution of an ID at the MBA level, the appropriate NRC Regional-0ffice be contacted for further direction.
The results of the investi-gation should be recorded and made available to the NRC on request.
The investigation of MBA alarms should be a comprehensive review that would include assessment of process monitoring and physical protection information, measurement and measurement quality control data, physical inventory results, and accounting records.
It would be especially important to review performance data in adjoining areas to detect counterbalancing effects which might pinpoint material transfer errors.
The item listing should be checked for inventory errors, and processing data should be checked to confirm the validity of the process inventory.
listing.
A thorough review in many instances should identify the problem and the corrective action that is needed.
4 VI-20 THE ANALYSIS OF INVENTORY DIFFERENCES (ID/LEID Tests and Other Techniques)
Background
Current NRC. regulations addressing material accounting, and the Task Force's discussions of material accounting's primary function of assurance, center on the analysis of ids.
As discussed in detail in Chapter Four and Appendix B, licensees compare the results of.a physical inventory with information on the accounting records to strike a material J
balance and arrive at estimates of ids each accounting period..The plant ids are compared with estimates of the uncertainties in the accounting measurements.
The uncertainity estimates are called Limits of Error on i
~
ID, or LEID.
Based on the ID/LEID comparison, licensees take certain prescribed actions.
This section investigates the implications of the ID/LEID approach, reviews other material accounting analysis techniques 4
that either are available now or under development, and recommends a i
program to strengthen material accounting data analysis in the future.
The proposed program has its basis not only in this chapter's discussions of ID/LEID comparisons and other analytical techniques, but also in the proposed goals and assessed capabilities presented in Chapter Four,.and in the recommended upgrades in Chapter Five.
i
+
n,,
l VI-21 The ID/LEID Test Under current practice licensees compute an inventory difference after each physical inventory, using the formula:
ID = (BI + A) - (EI + R).
Thus, ID is the beginning inventory (BI) plus additions (A) to inventory since the last physical inventory, less the sum of the ending inventory (EI) and any neasured removals (R) from inventory during the same period.
If there were no measurement uncertainties or biases, no process or account-i ing errors, no unmeasured losses, and no process holdup, then in the absence of theft, BI + A would equal EI + R and ID would be zero.
- However, there are measurement uncertainties, biases, errors, and unmeasured material in the system, and ID is very seldom zero.* ID is often modeled as a j
random variable.
That is, ID can take on any one of.a continuum of values with a probability distribution determined by the size of the errors and unmeasured losses.
If theft or diversion has occurred,-its value will be included in ID.
The objective is to detect the presence of a loss of I
material in the value obtained for ID.
I The current approach for making statements about ids is based on a statis-i tical hypothesis testing technique, in which the hypothesis tested is that i
true ID is zero.
Reference VI-7 provides a mathematical-description of
- See Appendix 0 or Reference VI-8 for a more detailed discussion of the causes of ids.
2
.o i
VI-22 this test.
To test this hypothesis, the assumption is made that, in the absence of an unmeasured loss, measurement error or bias, process or clerical mistake, or process holdup, the random variable, ID, comes from a Gaussian (normal) distribution with a zero mean and a standard deviation, o, completely determined by measurement uncertainty.
Using this assump-tion, one constructs a 95% confidence interval approximated by 1 LEID, or 120, around zero.
If the observed ID falls within 1 LEID the hypothesis that the true ID is zero is accepted; if not, it is rejected and certain actions take place depending on how much ID exceeds the LEID.
It is important to understand what this test is, what it is not, and how it differs from the quantitative criteria that the Task Force has proposed in Chapters Three, Four, and Six.
First, establishing a 95% confidence region for accepting the null hypothesis for ID is not the same as establishing a specific probability (e.g., 95%) of detecting
- a loss of material, or of detecting it with high assurance (90% or higher prob-ability of detection), which is the level suggested in some of the Task Force's proposed goals.
In fact, the higher the confidence level, the lower the probability of detecting a loss.
For instance, a 99% confidence
- Although the phase " probability of detection" is used.here and elsewhere in the report, these discus ~sions actually deal witn tne " probability of an alarm." Detecting a loss'will generally require additional investigative action to isolate the cause of the ID, especially in the case of theft or diversion.
VI-23 region provides lower probabilities of loss detection than a 95% confidence region.
The hypothesis testing technique for ID/LEID is not designed to provide specified probability levels for detection; rather, it fixes the sensitivity with which the hypothesis test is made.
A 95% confidence test means theoretically that if true ID is zero, the confidence interval will contain the observed ID and with probability.95, and the probability that the confidence interval will not contain the observed ID (i.e., the prob-ability of a false alarm) is.05.
False alarms occur when observed ID is greater than LEID, but there is actually no loss of material.
In statis-tical terms, there is a.05 probability of a type I error, which means that the probability of rejecting the null hypothesis when it is true is
.05.
A second important point about the current ID/LEID hypothesis testing practice is found by examining the type II error that can be inferred from i t.
Type II error is the risk of accepting the hypothesis that the true ID is zero when, in fact, it is not zero, i.e., when a loss has actually occurred.
This error is directly related to the probability of detection criterion for loss as proposed by the Task Force.
This relationship is most easily seen by considering a situation in which a loss has actually occurred. Then making a Type II error (accepting the hypothesis that there was no loss) is equivalent to not detecting the loss.
Since, for a single event, detecting the loss or not detecting the loss are the only
VI-24 i
possible alternatives, the probability of detecting the loss is one m;aus the probability of not detecting it.
Thus, for a single event, the prob-ability of a Type II error is equal to one mirus the probability of detecting-a loss.
It is interesting to note that if there were an actual loss equal to LEID, the ID/LEID test based on a 95% confidence interval theoretically will detect it only 50% of the time; the Type Il error is 50%.
Figure VI-l generalizes this theoretical concept to show the probability that an unmeasured removal will result in a detection, using a 95% confidence
' interval test as a function of the size of the loss, as measured in units of the LEID.
It shows that the operating goal generally assumed by the Task Force, a 0.9 or greater probability of detection, is met for any loss that exceeds 1.65 LEID.
For the five formula kilogram quantity used in the goals, this requirement constrains LEID to be less than three formula i
kilograms.
This result has significant impact on the quantitativellimits presented in the " Action Criteria" section.
Theoretically, there will also be a false alarm once out of every twenty ids, when there actually is no loss (or gain, a negative ID) of material.
Assuming that the probability of detection of a given amount of material is an established requirement, as suggested by the Task Force's proposed goals, ther are two design criteria, measurement uncertainty and false
VI-25 1.0 i
i i
8-S
.8 a
o
.6 x2 S
.4
.2 1
e a
0.5 1.0 1.5 2.0 Loss (in units of LEID, 2a units)
FIGURE VI - 1 Probability of Detection vs. Loss Size for ID/LEID Test (based on a 95% confidence interval) alarm rate, that allow tradeoffs in the design of a material accounting system.
However, as the discussion in Appendix D indicates, if the measurement precision is not sufficient to keep LEID to approximately three formula kilograms, the false alarm rate becomes intolerably high.
VI-26 The' final and perhaps most important points to be noted about the ID/LEID test are:
(1) that it is basedLon an idealized statistical description of ids, and (2) that the discussions above'are based on these idealized concepts.
In reality, an alarm caused by a loss of material does not necessarily mean detection of a theft.
Other steps must take place and other indicators uncovered before conclusive evidence of a theft is established.
Current procedure in response to an abnormal ID is focused on actermining where a theft actually has occurred.
The intensity of the investigations will depend on the size of the ID.
ids, in and of them-selves, are not conclusive evidence of theft.
By the same reasoning, small ID's and negative ID's.are not conclusive evidence that theft has not occurred.
Thus, constant vigilance and routine analysis are necessary even when the ID by itself does not indicate a problem.
This is one of l
the reasons that material control plays an important role-in safeguards.
Another idealized concept is LEID as calculated from measurement uncer-tainty.
It may not be a complete estimate of-the variance of the "true" distribution of ids.
In reality, there are other contributions besides measurement uncertainty to the distribution of ids.
These contributions, which may increase the variance or shift the mean of ID,~ include such things as unmeasured materials and clerical errors.
Recent studies (References VI-2, VI-8, and VI-9) and analyses have indicated that there is an abnormally high alarm rate for ids exceeding LEIDs. Nominally this would happen 5% of the time.
The higher rate t
VI-27 may be due in part to improper data analysis in estimation of the uncertainty of inventory measurement data.
Another major cause of the l
high alarm rate may be the inflation of ID through mistakes, e.g.,
[
accounting blunders and unmeasured process losses.
LEID estimates can be improved by implementing rigorous measurement control programs and by establishing-definitive practices for LEID estimation.
l-J In addition to the above considerations, data analysts should recognize that ids for a single accounting period reflect only a part of the avail-able information; analysis of ids and any action that might result from their analysis should involve the ongoing record of accounting data and I
the precedents and trends it reflects, i.e., trend analysis.
4 i
a l
Trend Analysis Many of the goals set down by this Task Force are similar in some respects i
]
to requirements incorporated in the current regulatory base.
- However, j
there are some goals that are not covered by the current regulatory 1
{
base, including those dealing with the monitoring and control of cumu-lative inventory differences (CID), cumulative shipper-receiver differ-ences (CSRD), and their associated measurement uncertainties, LECID and t
LECSRD, respectively.
I 4
i
VI-28 4
Specifically, the following assurance goals for material accounting call for the monitoring and the control of CID, LECID, CSRD, and for LECSRD by licensees:
MA ll:
Monitor the cumulative shipper-receiver difference on all correspondent accounts.and on.the combination of all receipts and shipments of SSNM to ensure that the cumulative differences-for any period of twelve consecutive months do not exceed five formula kilograms.
MA 15:
Identify, establish cause, and take' corrective action for.
bimonthly and cumulative yearly inventory ~ differences that 4
exceed their associated limits of error.
Monitor-and maintain accounting systems so that the long-term (greater-
.than one year) behavior of plant inventory differences ~does not exhibit a trend which is significantly different from zero.
In addition, the following assurance goals for material. accounting support the monitoring and analysis of these same statistics by NRC:
MA 12:
Establish within NRC a capability for monitoring and analyzing i
all shipper-receiver differences to detect and investigate trends or biases that may be used to conceal diversion or thefts or that adversely affect the theft detection capability at a given facility.
MA 17:
NRC should provide a monitoring capability to' perform in-depth data analysis to measure licensee performance against NRC objectives and goals-and to assess both short and long term inventory differences and other material accounting data of SSNM licensees and the licensed fuel-i cycle.
The methods currently used by licensees and the NRC to evaluate inventory difference data on a period-by period basis center on ID/LEID analysis.
6
.._c r
y,
VI-29 The methods used to evaluate shipper-receiver differences on a shipment basis are similar:
a statistical test similar to the ID/LEID test is made.
In this case the hypothesis that true SRD equals zero is tested l
using a 95% confidence limit based on data generated by the licensees' measurement control programs.
If the shipper does not send complete error data for the shipment data to the receiver, some receivers perform this test assuming that the shipper's uncertainties are the same as his (the Task, Force does not approve of this practice).
The methods envisioned by the Task Force for cumulative ID and SRD evaluations are similar to the methods already in use by licensees for bimonthly ID and single shipment SRD evaluation.
The differences in treatment of the data are discussed for ids later in this section.
Appendix 0 includes a more complete discussion of several trend analysis techniques available for NRC use to acheive its assurance goals.
It compares the Cumulative Sum (CUSUM) and the Kalman Filter (KF) techniques I
to identify their relative capabilities to detect the loss of five formula kilograms of SSNM over a year.
The comparison is made for two loss
" scenarios," a constant loss spread over a year and a block (single) loss in the last inventory period of a year.
Each of the methods is discussed in terms of CID analysis; however, each can also be applied to CSRD analysis.
The following paragraphs summarize the analysis detailed in Appendix D.
i
VI-30 Cumulative Sum (CUSUM) i The CUSUM technique consists essentially of considering two or more inven-tory periods as if they formed one extended inventory period.
One compares the CID, which is the sum of the inventory differences for the shorter j
periods, with its associated uncertainty (LECID), and performs a statistical i
I test (as described earlier for ID/LEID) of the hypothesis that true CID is
]
zero.
If CID >LECID, the hypothesis is rejected, and a safeguards alarm results indicating that some action should be taken.
Kalman Filter (KF)
The Kalman Filter technique's underlying philosophy, as applied to material f
accounting, is that material accounting data are " noisy" estimates of the true data, and that the KF algorithm can combine a priori and historical material accounting information to obtain more accurate estimates of-the true ID, or the true loss.
While the KF technique is more sensitive to certain diversion scenarios than the CUSUM technique, it suffers from two important constraints:
(1) l it requires an assumption of a diversion scenario, which may or may not accurately model the true situation, and (2) it is comparatively compli-cated, requiring an advanced level of mathematical and statistical know-ledge on the analyst's part.
For these reasons, and because KF does'not.
. appear to represent a significant improvement over CUSUM (indeed, in some i
_ _, _ _, ~,
VI-31 cases, it is less sensitive), the use of Kalman Filtering should not be required of licensees at this time.
However, it appears to be useful in analyzing certain specific cases and is appropriate as one of a number of monitoring and analytical tools NRC can employ to meet its assurance goals.
Special Case Comparisons of Detection Power of Several Techniques It is useful and instructive to compare the capabilities of the ID/ LEID and CUSUM techniques to the theoretically optimum
- statistics for detec-t tion of loss in a single period and on cumulative bases, respectively.
Stewart has provided such a comparison for certain special cases in Reference VI-10.
Appendix 0 includes an application of Stewart's results to two cases, a single loss in the last of six periods and a loss uniformly spread over six periods.
Table VI-2 summarizes the results.
In both, the comparisons centered on identifying the technique that permitted the higher LEID while maintaining the required 0.9 detection and probability at a false alarm rate of 5%.
In the constant loss case, the Kalman Filter is theoretically the optimum l
statistic.
In the block loss case, M, a statistic similar to ID (Ref.
i VI-10) is theoretically the optimum statistic.
^" Optimum" is used in the sense that the loss estimates generated by the statistics are unbiased and have minimum variance.
i
VI-32 Table VI-2 Ranking of Loss-Detection Techniques (Based on Tables 0-2 and D-3 in Appendix D)
Loss Scenario Rank
- Constant Loss-Block Loss 1
KF M **
2 CUSUM ID/LEID 3
M **
CUSUM 4
ID/LEID KF
- Highest permissible LEID
- M, a statistic defined in Reference VI-10, is an estimate of ID.
The conclusion of the analysis is that ID/LEID is a good statistic for licensees to use for the detection of significant single period losses.
It performs almost as well as the theoretically optimum statistic in this The difference in performance is virtually negligible for throughput case.
dominated plants.
However, ID/LEID, on a period by period basis, is not a sensitive statistic for detection of s'ignificant losses accumulated in small amounts over a number of periods.
CUSUM is a good statistic for detection of such losses.
It performs almost as well as the optimum statistic, KF, in the constant loss case.
The difference in performance is negligible for throughtput dominated plants.
VI-33 Conclusions and Recommendations This analysis of current ID/LEID practices, historical ID and LEID data, and emerging trend analysis techniques leads the Task Force to the following I
l conclusions:
ID/LEID comparisons are the primary source of data analysis in support of material accounting's assurance role.
However, the compa:isons should be based on providing a given probability of detecting a loss, consistent with the goals proposed by the Task Force, and the compari-sons should be based on a recognition that small and even negative ids are not conclusive proof that no loss has occurred.
Studies and analyses indicate that some licensees are underestimating their LEIDs and that ID data contain other than measurement errors, e.g., clerical errors.
Trend analysis in the form of the CUSUM technique provides licensees an efficient and straightforward complement to the detection capability provided by ID/LEID and can assist in identifying anomalies that ID/LEID cannot.
More sophisticated analysis techniques can provide NRC with enhanced sensitivity in some cases for identifying anoma' lies that CUSUM and ID/LEID cannot.
These conclusions, and the recommendations that follow, deal with the best methods presently available for analyzing material accounting data, and will have applicability to material control data if an information base for material control develops in the way the Task Force envisions.
The Task Force recommends that:
RVI-4(a) Licensees use CUSUM techniques in conjunction with ID/LEID comparisons to analyze material accounting data in support of material accounting objectives and goals (specified levels of detection probabilities.)
e
+
VI-34 (b) NRC, acting.in its assurance function, make use of applicable -
sophisticated data analysis techniques to monitor material accounting data on a routine basis.
This will require an
~ increase in the quality and types of data the NRC receives from licensees.
The. Task Force further recommends that NRC take necessary steps to ensure that the requested information
~is received and.used in a timely manner.
zThe Task Force also believes that significant improvements can be made in the quality of ID data, measurement uncertainty data, and analysis of limits of error based upon this data..Therefore the Task Force recommends that:
(c) NRC provide definitive guidance for licensees in estimating l imits of error on inventory differences and cumulative
-inventory differences, and in developing improved measure-ment techniques and strategies.
VI-35 RAPID MATERIAL CONTROL
Background
Concepts for " rapid" control of SSNM began to receive serious considera-tion for safeguards applications around 1974.
A proposed study to this end, Real-Time Material Control (RETIMAC), was advanced in a staff paper (Ref. VI-ll) to the Atomic Energy Commission in response to a report on a l
"Special Safeguards Study" carried out for the AEC under the leadership of Dr. David Rosenbaum.
The RETIMAC study, a project planned to begin during FY-76 to develop a computer based real-time material monitoring system for l
SNM, was summarized in the 1974 staff paper and detailed in its enclosure (Ref. VI-12).
Subsequently, some advance funds were made available by the AEC in FY-75 to initiate efforts to evaluate, both by analytical and by physical means, the RETIMAC concepts.
The project was taken over and managed by the "NRC Special Safeguards Study" (SSS) (Ref. VI-13) in February 1975.
One objective of the latter study was to assess system-l l
atically the upgrading safeguards measures identified in a draft GESMO j
(Ref. VI-14) and to develop a safeguards plan for the protection of plants and material in the plutonium recycle or high enriched uranium fuel cycle.
During the same time (circa 1975), the interfacing of on-line non-destructive assay (NDA) techniques with a dedicated computer to generate, accumulate and analyze data for material control purposes was being considered at Los Alamos Scientific Laboratory (LASL).
The ideas con-
VI-36 tained in LASL's plan for " Dynamic Material Control" (DYMAC) were not significantly different from those contained.in RETIMAC (Ref. VI-15).
The LASL efforts are continuing as part of a long-range study, sponsored by DOE to develop generic designs and evaluation methods for advanced nuclear material management systems.
Another ongoing study warrants mention in this introduction to " rapid" material control.
At NRC's request, Monsanto Research Corporation (Mound) has been applying the concept of the " Controllable Unit" to material monitoring.
The concept is old; the application to the control of nuclear material is new.
A task was initiated in FY-76 to apply the " controllable unit" concept to a prototype mixed-oxide fuel fabrication plant used by several DOE and NRC contractors to test their proposed systems.
Use of this prototype plant allows an objective comparison of the capabilities of various material control techniques and their associated costs.
Rapid material control, its precursor, RETIMAC, and the LASL DYMAC system are discussed below.
A description of the " controllable unit" approach to material control follows.
This section concludes with Task Force recommenda-tions on rapid material control systems.
VI-37
-Real-Time, Dynamic or Rapid Material Control' Systems
_The central feature of a real-time material control system is an on-line computer interfaced directly with material assay stations located through-out a plant.
This concept usually demands rapid in-line assay measurements of mainstream SSNM flow, off-line assay measurements of sidestream SSNM flow (scrap, waste, and analytical. samples), continuous monitoring of the status of SSNM containers in storage, automatic identification of containers being transferred between areas, and continuous process simulation and monitoring by the computer to provide a system of timely material loss alarms.
Status of Technical Efforts The practicality, theft detection capabilities, and. cost of real-time material control systems have been studied by NRC and, to~some extent, by DOE.
The NRC Special Safeguards Study evaluated the RETIMAC conceptual design (Ref. VI-16) for a real-time system and found that some of the components did not exist, and that some tt.at did exist had unproven operating capabilities in the harsh and complex environment encountered in fuel cycle material processing operations (Refs. VI-17 through VI-20).
The NRC Special Safeguards Study consequently used for.their evaluations model material control systems that substantially simplified the RETIMAC design into a " rapid" monitoring system. This did not depend on the extensive use of on-line NDA instrumentation, continuous process simulation, or the I
VI-38 real-time calculation of material' balances for each process module and the comparison of these balances with.the simulation model.
The " rapid" system _ includes the use of NDA equipment when deemed necessary (e.g., the:
NDA of-scrap and waste materials).
In the " rapid" monitoring system, primary loss checks are made at the end of each work shift.
With a " rapid" monitoring system, approximate material balances would be computed for MBAs at the end of each operating shift based on measurements of mainstream SSNM flow, SSNM in storage, sidestream flow, and on estimates of inventory changes for in process and holdup SSNM.
At normal breakpoints in the process cycle (after runout and after cleanout), SSNM material balances would be computed for MBAs based entirely on assay measurements.
At these times, the buffer storage and in process SSNM inventories are normally zero and holdup SSNM can be determined.
Item counts would be performed for all of the different types of material balances to verify the inventory of item control areas (ICAs).
Item accounting would be performed by a system of automatic item locators within each ICA or by an end-of-shift " nose count" of items where automated systems are not applicable.
The results of these material balances and item counts would be analyzed to generate prompt theft alarms for single diversions of significant quantities of SSNM and delayed theft alarms for mutiple diversions of smaller quantities of SSNM.
These theft alarms would be combined with L
VI-39 alarms from the safety and physical security systems to produce a hierarchy of safeguard alarms ranging from " check a calibration" to " secure and search" an MBA.
The NRC Special Safeguards Study model systems were found to be reasonably sensitive to loss, but the costs for even the simplified systems were high, a five million dollar capital investment and a one million dollar annual operating cost, in relation to the benefits received.
The NRC Special Safeguards Study model " rapid" monitoring system indicated certain process areas in which " rapid" material control would not be a 1
very sensitive means of detecting a thef t, e.g., the separations and I
nitrate-to-oxide conversion areas of a reprocessing plant.
Fortunately, material in these areas is well protected by the physical barriers that are required for health, safety, and environmental protection.
Under DOE sponsorship, the LASL is developing their own "model nuclear materials control system," Dynamic Materials Control (DYMAC) (Refs. VI-21
& VI-22).
This approach uses a plantwide network of on-line NDA measure-ment and verification instruments interfaced to a computerized materials control system and incorporates the following key elements:
(a) an in-line measurement system relying heavily on newly developed NDA instruments to provide "real-time" quantitative assay data at key measurement points; (b) directly automated transfer of data from the plant floor into a central computer; and (c) an automated system to rapidly determine material balances
VI-40 for small segments of a plant, usually for unit operations.
All materials flowing into and out of a unit process, including residues and waste, would be measured and the data would be used to record transactions of material flows in a central accounting computer.
LASL has applied the DYMAC elements to the prototype mixed-oxide fuel fabrication plant used extensively in the NRC Special Safeguards Studies (Ref. IV-23).
DYMAC appears to be more effective than was the NRC Special Safeguards Study " rapid" control system in detecting material losses.
However, LASL has made several optimistic assumptions which may make their DYMAC model appear better than it will perform in practice.
The costs of DYMAC are at least as large as the estimates of the NRC Special Safeguards Study " rapid" material control system, which are judged to be too large '
for the loss-detection capabilities gained.
The continuing LASL studies may provide new information that will necessitate reconsideration of these preliminary conclusions.
The System Planning Corporation was requested by the Divison of Safeguards and Security, DOE, to perform an independent evaluation of the DYMAC program with respect to its application to the prototype mixed-oxide fabrication plant.
A quote from their report (Ref. VI-24) places the status of " rapid" material control and accounting in perspective:
-l l
VI-41 "The LASL Materials Measurement and Accounting System incorporates features which result in materials accounting sensitivies that may be the best that can reasonably be expected of medium-to-low risk tech-nology utilizing nondestructive assay (NDA) equipment and unit processes accounting in a system of dynamic materials accounting.
This concept, however, is only one of.several alternative materials accounting approaches that could be considered in the design of an Mater'als accounting sensitivity could i
adequate safeguards system.
[
probably be relaxed in fa.vor of-complementary physical security-features at reduced cost in an' integrated system.
LASL design personnel are aware of such a possibility.
Nevertheless, viable MMAS alternatives have not been systematically formulated.
Consequently, tradeoffs cannot yet be assessed among various materials accounting and physical security methods."
00E is installing real-time or " rapid" material control systems at several of their contractor plants.
For example, systems are being designed and tested at the Oak Ridge Y-12 plant, the Portsmouth uranium enrichment plant, LASL, and Rocky Flats.
These DOE contractors are scheduled to complete-installation of their systems by 1980.
Some NRC licensees, in particular the General Electric Company facility at Wilmington, are also moving toward rapid material control systems by dynamically transmitting their process control and material control and material accounting measure-ments into a central computerized accounting system.
The Task Force feels J
that NRC should follow closely the development, installation, and opera-tion of these systems, especially the development of the DYMAC program at LASL.
4 l
.a
f l
)
i VI-42 The Controllable Unit Approach The controllable unit (CU) method of material control is a system designed to identify measurement errors for corrective action, locate areas and time frames of material losses, define time and sensitivity limits of material loss alarms, define the time frame in which pass-through quanti-ties of special nuclear materials remain controllable, and provide a basis for identification of incremental costs associated with any process changes or new measurements imposed purely for safeguards purposes.
The concept provides a rationale by which measurement variability and a specific safeguards criteria can be evaluated according to the degree of control attainable.
The CU system partitions a process according to a stated control criteria, such as detection of a loss of x kilograms of material with a probability of y% over a period of z days.
This approach is structured to provide a capability and a sensitivity to detect a loss of a specified quantity of SNM, within and among process partitions, for a given material throughput.
The CU, a complement to material balance accounting, is a material control methodology designed to take into account the system logic and statistical characteristics of a plant process through the formulation of closure equations.
The methodology is adaptable to plant processes of varying degrees of design and operational complexity.
Application of the method
VI-43 is not expected to require major alteration or modification of an appli-cant's process.
Since analysis of the loss detection capability of a plant as it exists or as it is planned is a natural first. step in the evaluation scheme, estimates of the cost / effectiveness of any changes made to the process or the measurement system for purely safeguards purposes can be easily obtained as an incremental cost.
The CU methodology iteratively compaes the actual control capability to a defined safeguards criterion, i.e., the capability to detect a given loss with high confidence in a stated time.
Additions or refinements to the measurement system or to the process are modeled and iteratively compared to the " criterion" until it can be met.
This systematic comparison is designed to ensure that a complicated process measurement system will perform to the level specified by the " criterion." Further, since the existing or proposed process operation is simulated as part of the CU method, modifications to the process for any reason can be theoretically evaluated before implementation to determine their effect on material control.
A summary flow diagram of the CU methodology is shown in Figure V-2.
i Status of Technical Effort i
i The CU concept has been applied as a demonstration model to the NRC Special Safeguards Study prototype high-throughput mixed-oxide fuel fabrication
_. ~_
.,. _.... _.-_.. ~ _
~... _..
i VI-44 4
i
@ MODEL PROCESS
.i iP
@ EXAMINE
]
MEASUREMENT INFORMATION AND FORMULATE. CLOSURE EOUATIONS l
@ CALCULATE
@ MODEL SPECIFIC j
SYSTEM VARIA88LITY SYSTEM REPINEMENTS -
7 a b YES i
p
@ MODIFY PROCESS 4>
'T MEET FURTHER
{
CRITERIA MEASUREMENT nan i.
I REFINEMENTS BENEFICIAL t
VES NO l
@lDENTIFY i
DOMINATING ERRORS i
I
}
@ DEFINE 1
~
CONTROLLA8LE UNITS 1
4 1r i
I-
@ IMPLEMENT CHOSEN PROCESS / MEASUREMENTS 4
SYSTEM i
4 i
i Figure VI-2 I
j CU HETHODOL OGY 1
1 i
l I__.-_,.___-.
. ~. -
VI-45 plant (Ref. VI-25).
A simulation model of such a plant has been developed.
The simulation includes all material flows, material measurements and their associated uncertainties, factors to predict material holdup in process lines and equipment, and all process conditions.
The operation of such a plant has been simulated on a laboratory computer to generate typical plant operation data.
The model has been designed to include normal process interruptions such as cleanout, equipment malfunction, scheduled maintenance, and the like.
Another computer program, an information program, has been written which analyzes all of the simulated plant operation data by the CU scheme.
Short-term closure equations have been designed to detect single diversions.
Other closures have been designed to detect long-term or multiple theft.
By application of the two computer programs, measurement errors that limit the sensitivity of the i
system to detect diversion have been identified.
Means of significantly reducing the cumulative effect of these individJal measurement errors have been devised and tested.
A set of CUs for the prototype plant has been defined.
The sensitivity of the CU scheme for diversion detection in the prototype plant has been evaluated and preliminary indications are that the scheme meets the safeguards criteria stated as a goal of the study, i.e., the detection of a loss of two kilograms of plutonium with a prob-ability of 97.5% over an inventory interval.
Although conclusions for this study are not yet final, results to date indicate that the method may be effective for timely detection of SNM loss and for material control.
VI-46 Future technical efforts are required to evaluate the usefulness of the CU concept including application of the technique at operating plants.
Studies are underway to test the vulnerability of the method to falsification of data or possible other adversary attempts to defeat the system.
A statis-tical package is being developed that will provide the means for assessing the continuing performance of the system as a whole, i.e., the statistical analysis of the complete set of closure equations.
Once this has been accomplished, a handbook will be written describing in detail how to apply the concept to nuclear facilities.
Conclusions and Recommendations The Task Force is of the opinion that NRC should continue to monitor the efforts underway by DOE to develop and implement real-time material control systems at its facilities.
Continuing development efforts by 00E to demonstrate the validity of the assumptions underlying the use of real-time systems (e.g., that benefits outweigh the costs, that the components can be kept operational in the environment encountered without excessive downtime and maintenance, that the measurement uncertainties reported for on-line routinely operated NOA equipment can be achieved, and that the false alarm rates will not be excessive) may result in technology that NRC can recommend to licensees to assist them in meeting the goals in Chapters Three and Four of this report.
VI-47 Certain concepts effectively demonstrated in the NRC Special Safeguards Study report on " rapid" material control were used by the Task Force in developing some of its goal statements.
The best examples of this are those goals pertaining to the shift monitoring of the status of items and containers of SSNM.
Not only did the NRC Special Safeguards Study show the usefulness of this concept, but also that technology is available to do much of the monitoring, cost ef fectively, by interfacing laboratory computers with appropriate sensors.
The Task Force feels that the conclusions of the NRC Special Safeguards Study are warranted, i.e., that the costs for systems such as the simpli-fled RETIMAC and the DYMAC currently exceed the benefits attained when evaluated against the safeguards needs.
The Controllable Unit approach to material control and loss detection is a potential method to provide a process monitoring capability for meeting the goals set forth in Chapter Three of this teport.
If ef fective, the Controllable Unit approach could provide one method of performing process monitoring in commercial fuel cycle facilities where material is accessible to theft or diversion.
I l
VI-48 Therefore, the Task Force recommends the following:
RVI-5(a) NRC should encourage DOE specifically to address the question of cost effectiveness in their continuing studies of rapid material control systems such as DYMAC.
(b) NRC should expedite test applications of the Controllable Unit methodology so that conclusions can be reached about its practical effectiveness.
1 4
e l'
VI-49 COLLUSION AND MATERIAL CONTROL AND MATERIAL ACCOUNTING
Background
Collusion and conspiracy are defined by the American College Dictionary (Ref. IV-26) as a " secret agreement for a fraudulent purpose; conspiracy,"
and "a combination of persons for an evil or unlawful purpose; a plot,"
respectively.
The proposed new physical protection rule (Ref. VI-27) requires safeguards that have the capability to " prevent with high assurance theft of strategic special nuclear material and protect against radiological sabotage by a conspiracy of insiders or employees in any position."
It is important to consider the role of the material control and material accounting systems in contributing to that capability as part of an integrated safeguards program.
This section presents a brief analysis of the safeguards problem of pre-venting an insider theft of SSNM involving collusion.
The first part discusses the sorts of safeguards available against collusion, emphasizing the role that material accounting and, particularly, material control can play in this aspect of the safeguards programs.
The section ends with the Task Force's conclusions and recommendations with regard to structuring l
l material control and material accounting programs to deal with the threat of collusion.
1
i VI-50 Unknowing Cooperation Having Collusion Effects Before beginning the discussion of collusion directly related to theft, we address the situation in which employees may unwittingly cooperate in actions which have the same effect as collusion to assist in a theft or-4 diversion.
For example, facility management may, for reasons totally unrelated to any. conspiratorial intent to steal SNM, act to prevent or
. inhibit the assessment or investigation of alarms from the material. con-trol or material accounting programs.
An excellent discussion of possible i
motivations for such action is given in Chapter IV of Reference IV-28.
In essence, this sort of situation may occur because the material control or material accounting programs are structured so that:
(1) false or nuisance i
j alarms are frequent, (2) alarms are difficult or expensive to assess or investigate, or (3) facility management perceives.the safeguards requirements placed upon it as an unreasonable impediment to production.
This type of i
" collusion" is likely to be difficult to detect since the motivation is not one of theft but rather one of maintaining production.
The major difficulty in dealing with this sort of situation, and the one that is most important to safeguards, is that if it is taking place it degrades the safeguards system.
Care must be taken in the structuring of material a
I control and material accounting programs to minimize to the degree possible, the motivations for such action and to provide checks and balances to prevent such actions effectively.
)
4 1
,..c-
I VI-51 The Stages of Collusion The germ of the structure of subsequent analysis of safeguards against theft by collusion is the concept of pre planning or plotting, as given in
-the definition of collusion.
This definition of collusion is more restric-tive than that used in some analysis techniques dealing with competition l
and cooperation such as cooperative game theory.
However, those situations l
in which cooperation occurs without pre planning have been explicity dealt i
with in the preceeding discussion.
Therefore, this more restrictive definition of collusion causes no loss of generality in the analysis.
For the purpose of analysis, an adversary action sequence involving the theft of SSNM by collusion can be separated into two stages.
The first stage of the adversary action sequence is defined to be the assembly of the group of conspirators and the planning of the theft.
The second stage of the adversary action sequence consists of actions by the conspirators to defeat the safeguards system.
This separation of the adversary action sequence into two stages, although somewhat arbitrary, is convenient for analysis and causes no loss of generality or validity in the results.
Since the adversary must successfully complete both stages of the action sequence in order to successfully complete a theft of SNM by collusion, the analysis can address each stage separately.
Clearly, a safeguards program to prevent theft by collusion is effective if it prevents the adversary from successfully completing either stage of the adversary
VI-52 action sequence.
Moreover, a safeguards system which prevents the adversary from accomplishing each stage of the action-sequence with moderate assurance:
should have a high assurance of preventing theft by collusion, provided the safeguards for each stage function independently.
Finally, the safeguards-program can be structured so that collusion threats with different attributes can be addressed during different-stages.
As further analysis will.show, it is this property which promises-to make the collusion problem manageable in practice.
It is therefore useful to consider in detail those portions of the safeguards program which can function effectively during each of the two stages of the adversary action sequence.
Safeguards Against Collusion Stage One Safeguards The_ safeguards that can function effectively during the first stage of the adversary action sequence are those designed either-to prevent a-conspiracy ~
from forming or to detect it before it acts against the safeguards system.
Security clearances, personnel reliability _ programs, and-psychological and polygraph testing fall into this category.
Other techniques and programs designed to ensure that only trustworthy individuals occupy sensitive positions are also in this category.
Safeguards of this type are expected to be more effective in preventing and detecting collusion involving large numbers of conspirators.
This occurs for several reasons.
First,' selective e
e--
r
.-m,
+ ~, - + -
<-or
,m-v-
w
VI-53 hiring practices significantly reduce the expected number of untrustworthy employees who might participate in a conspiracy.
This, in itself, serves to reduce significantly the probability of large conspiracies.
- Second, the procedures and techniques that monitor the trustworthiness of individuals in sensitive positions are more likely to detect large conspiracies simply because more people occupying sensitive positions are involved.
- Third, there is the possibility that a trustworthy individual, whose assistance has been solicited by the conspirators, will report the incident to manage-ment or law enforcement personnel.
Naturally, the probability that this will occur increases with the number of individuals whose aid is solicited, tending to make large conspiracies more likely to be detected.
- Finally, this expectation of increased detection probability is thought to act as a deterrent to the formation of large conspiratorial groups.
Therefore, the types of safeguards that function during the first stage of the adversary action sequence are expected to become more effective as the number of individuals in collusion increases.
The contention has been raised during the discussion of the proposed new physical protection rule (Ref. VI-27) that NRC should accept security l
l clearances alone as an adequate safeguard against collusion since the military accepts security clearances as partial protection against collusion involving the theft or misuse of nuclear weapons.
However, as Reference VI-29 indicates, the nuclear surety program for weapons used by the military
VI-54 encompasses not only security clearances but also personnel screening activities which may include psychiatric evaluation, periodic evaluations by a unit commander, and continual monitoring of the individual's behavior by his peers and superior officers.
Although attractive as a safeguard against collusion, a personnel reliability program which includes this type of psychological testing and continual observation by peers and supervisors may not be practical or appropriate for the civilian nuclear industry.
While it is generally accepted that clearances based on full field back-ground investigations substantially reduce the likelihood of malevolent conspiracies, it is difficult to obtain any quantitative estimates of the probability of collusion between two cleared individuals.
A conservative estimate for the probability that a single security cleared individual will prove untrustworthy could be inferred from the number of security cleared individuals who are rejected from military personnel reliability programs.
This estimate is expected to be conservative since some of those individuals would have been removed from sensitive duty positions for reasons unrelated to any potential security risk.
This measure could be extended to obtain a conservative estimate of the probability of a con-spiracy involving two employees in an organization by estimating the probability that two untrustworthy, security cleared individuals are employed by the organization.
This estimate would most certainly be
VI-55 overly conservative because it totally neglects the difficulties that the two potential conspirators would have in locating each other without detection.
Nevertheless, these concepts need more study so that the degree of assurance that security clearances can provide against the formation of malevolent conspiracies can be assessed more precisely.
It is important to note that the major impetus for establishing effective stage one safeguards must come from the safeguards management system, not from material control or material accounting.
There is little that material control or material accounting can do, other than in the careful selection and training of personnel for material control and material accounting positions, to prevent the formation of insider conspiracies.
However, the following discussion indicates material accounting and particularly material control can play a major role in preventing, detecting, or impeding such conspirators from successfully executing their plans to steal or divert nuclear material.
l l
l Stage Two Safeguards The safeguards which can function effectively during the second stage of the adversary action sequence; i.e., actions by the conspirators to defeat the safeguards system, are those designed to prevent, detect, impede, and respond to such actions by one or more individuals.
It is at this stage of the action sequence that the checks and balances designed into the i
1
VI-56 physical protection, material control, and material accounting systems can be effective as safeguards against collusion.
Although these safeguards are best analyzed as a part of an integrated safeguards program, this discussion will limit itself to a discussion of the material control and material accounting systems.
The material control system is expected to be more effective against collusion because it is more timely.
Properly structured, the material control system and, to a lesser degree, the material accounting system can assist in preventing, detecting, impeding, and responding to attempted theft of SNM by a consipracy.
They can accomplish
~ this primarily through the system of checks and balances and reporting procedures designed into the material control and material accounting systems as envisioned by the Task Force goals in Chapters Three and Four.
Goals for checks and balances designed into the material accounting system and independent audits of both the material control and material accounting system also provide secondary capabilities of this sort.
In order to be ef fective, the system of checks and balances, reporting procedures, and audits must be sufficiently diverse and redundant that they cannot be subverted by any two or more employees acting in collusion. While such a diverse and redundant capability may be possible in theory, it will rapidly become inordinately complex and cumbersome as the size of the conspiracy it is designed to protect against increases.
m VI In fact, it is possible that the degree of diversity and redundancy required to. maintain checks and balances and reporting and audit capabilities with 1
effective protection against all possible conspiracies involving any two individuals in a nuclear facility may not be achievable in practice.
- However, the checks and balances, reporting procedures, and audits can be structured to significantly reduce the number of potential conspirators to whom the material control and material accounting safeguards are vulnerable.
j
. Analysis techniques which are currently under development by the National Bureau of Standards (Ref. VI-30), Lawrence Livermore Laboratories (Ref.
i VI-31), and Science Applications, Inc. (Ref. VI-32) are expected to provide a methodology to enumerate the possible pairs of individuals who, acting i
in conspiracy, could defeat or significantly degrade any specified material control and material accounting system.
These evaluative methodologies i
j can be extended to assess the vulnerability of those same material control or material accounting systems to collusion involving more than two_ insiders.
l These methodologies may potentially provide a quantitative measure of the effectiveness of any specific material control or material accounting system against theft of SNM by collusion.
1 i
Summary i
l In summary, the adversary action sequences for theft by collusion may be i
5 divided into two stages for analysis:
(1) the assembling of the con-l spirators and planning of the theft and (2) the actual execution of the i
i
?
J
- - _ _ _. _. _. -. _ _. -. _, _.. _.., ~. - _... _ - _ _.. -
VI-58 theft.
Security clearances and various personnel reliability programs--all parts of the safeguards management system--can be used to minimize the possibility of a conspiracy forming effectively (stage one).
The material control, material accounting, and physical protection systems can be structured to prevent a conspiracy from successfully completing the second stage.
Although there are no measures of effectiveness for security clearance and personnel reliability programs, it is generally accepted that personnel security clearances based on full field background investi-gations can reduce suostantially the likelihood of malevolent conspiracies.
Clearances also are thought to provide increasingly effective safeguards as the number of security cleared individuals involved in a conspiracy increases.
It also is recognized that large conspiracies are more likely i
to be detected, even in the absence of security clearances.
Evaluative methodologies under development have the potential to provide a measure of effectiveness for procedural and technological safeguards against theft by collusion.
While the results of the application of these methods to large classes of procedural and technological safeguards against theft by collusion i
are not yet available, it is generally accepted that the effectiveness of the safeguards, e.g., material control or material accounting, decreases as large conspiracies are considered.
4
VI-59 Conclusions and Recommendations The following recommendations deal with material control and material accounting; however, it should be recognized that, because these two programs are viewed as part of the integrated safeguards program, it may l
be desirable to meet some of the recommendations by appropriate combina-tion of the material control, material accounting, and physical protection i
systems.
The safeguards effectiveness of a security clearance program is expected to increase as the number of cleared individuals involved in a conspiracy i
increases.
However, the safeguards effectiveness of the procedural and 4
technical safeguards against collusion, embodied in the material control, material accounting, and physical protection systems is expected to decrease as the size of the conspiracy increases.
i Therefore, there seems to be a conspiracy size at which the optimum safe-guards program would change from primary reliance on procedural and tech-nical safeguards against collusion with secondary reliance on clearances to primary reliance on clearances with secondary reliance on procedural and technical safeguards.
However, in order to determine this trade-off point, it is necessary to obtain measures of the effectiveness of security clearances and procedural and technical safeguards in preventing theft by collusion.
Therefore the Task Force recommends that:
1
VI-60 RVI-6(a) A technical study be conducted to determine a quantitative measure or at least a figure of merit for the effectiveness of a security clearance program, based upon full field background investigations, in protecting against malevolent conspiracies involving two or more security cleared individuals.
In the absence of the results of these studies, it is difficult to make l
any specific recommendations concerning the level of collusion that the j
material control and niaterial accounting systems should provide protection against.
However, there are a few minimum capabilities that the Task Force considers necessary for the material control and material accounting programs.
Therefore the Task Force recommends that:
(b) A specific effort be initiated to formulate an approach to combating collusion.
This effort should specifically consider the contribution that material control and material accounting programs can make to safeguards effectiveness in this area.
l A starting point is to consider the feasibility of requiring that the material control and material accounting systems, in conjunction with physical security systems, have sufficiently diverse and redundant checks I
and balances to prevent, with a high degree of assurance, any conspiracy involving one cleared individual in any position and one or more individuals without security clearances from significantly degrading the safeguards capabilities of either the material control or the material accounting systems.
1
VI-61 INFORMATION FLOW AND ANALYSIS
Background
As indicated in Chapters Three and Four, specific goals for material control and material accounting were derived from the NRC operating assumption on construction of a CFE.
Most of these goals relate to licensees' responsibilities for material at individual facilities or to material transfered between two facilities.
A few material accounting goals related specifically to NRC activities, involving either application of advanced analytical techniques to individual facilities or monitoring and analysis of material status across the licensed nuclear industry.
Both types of activities require a flow of information to NRC.
This section discusses current information flow and analysis, summarizing what safeguards information is submitted to NRC, who gets it, when it is received, and what is done with it.
The discussion focuses primarily on the goals identified in Chapter Four (Material Accounting) and includes recommendations for future actions to meet these goals.
The Task Force recognizes that an adequate information base must address all of NRC's safeguards needs and must support future integrated safeguards planning and evaluating capabilities as discussed in Chapter Five.
Detailed discussion of an integrated safeguards information program is beyond the scope of this study, as is a detailed discussion of an integrated safe-guards system.
However, an extensive contractual ef fort is currently
VI-62 underway to develop an Integrated Safeguards Informatio1 System (ISIS) for NRC.
The following discussion focuses on two specific goals from Chapter Four:
MA 12:
Establish within NRC a capability for monitoring and analyzing all shipper-receiver differences to detect and investigate trends or biases that may be used to conceal diversion or thefts or that adversely affect the theft detection capability at a given facility.
MA 17:
NRC should provide a monitoring capability to perform-in-depth data analyses to measure licensee performance against NRC objectives and goals and to assess both short and long term inventory differences and other material accounting data of SSNM licensees and the licensed fuel cycle.
Current Information Flow Currently, there are five primary modes of information flow related to a licensee's performance with respect to all material control and material accounting objectives and goals:
Licensee reports of nuclear material transfers and of material status which are required by regulations and license conditions.
These reports form the data base for NRC's computerized Nuclear Material Management and Safeguards System (NMMSS).
Licensee reports of material accounting data not specifically required by current regulations.
These reports form the data base for NRC's Safeguards Status Report System (SSRS), commonly referred to as the Office of Inspection and Enforcement (IE) " White Book."
IE inspection and investigation reports.
Office of Nuclear Material Safety and Safeguards ~ (NMSS)/IE compre-hensive evaluation reports.
VI-63 Licensee reports of abnormal situations or occurrences, required by regulations and directives.
Nuclear Material Management and Safeguards System NRC jointly supports the DOE /NRC Nuclear Materials Management and Safe-guards System (NMMSS).
The NMMSS is operated by Union Carbide Corporation at Oak Ridge, Tennessee on a contractual basis with NRC and D0E.
NRC
]l regulations require each licensee who transfers and each licensee who receives one gram or more of contained U-235, U-233, or plutonitm to report on NRC Form-741 this transfer or receipt to tha NMMSS.
The shipper must submit a 741 form promptly after the transfer takes place.
The receiver must submit a 741 form within 10 days after receipt of the material.
For shipments of 350 grams or more, measurement uncertainty data must bt included on the copy of the 741 form submitted to NMMSS (this information is not always supplied to the licensee receiving the shipment).
Shippe r-receiver differences which are statistically significant at the 95 percent confidence level and involve 50 grams or more of SSNM must be reconciled by the two parties.
Forms received at Oak Ridge are systematically edited and apparent data errors are resolved by direct contact with the licensees.
NRC regulations also require licensees who possess more than 350 grams of SNM to submit a material status report to NMMSS every six months on
VI-64 NRC Form-742.
This report is a summary of material holdings and trans-acti7ns based on plant records as adjusted by the results of physical inventories.
It does not include information on LEID* associated with the physical inventories conducted since the last report or for a six-month LEID.
The report is used to update and balance NMMSS data on plant holdings.
Subsequent 741 forms are used to upoate plant holdings on a more timely basis until the next Form 742 is submitted.
The NMMSS generates and distributes a number of reports on a periodic basis.
In addition, special reports can be prepared on a demand basis.
Currently, about forty reports are routinely distributed within NRC, some to several recipients.
These reports consist of several general types:
directories (NRC licensees, waste storage sites, etc.); inventory reports, ranging from individual facility holdings to summaries of all materials licensed by the NRC in the private sector; material balance reports; survey and inspection planning reports; safeguards data monitoring reports, which are reports of exceptions such as reported negative inventories, possession limits exceeded, limits of error on shipments not reported, and significant shipper-receiver differences; and transaction reports, which provide a large variety of detailed information based on 741 form submittals.
- Since the schedule for submission of 742-forms may not correspond to the physical inventory schedule, the missing information comes from plant records.
There is no requirement for estimation of an associated six month LEID.
VI-65 Each of the four NRC regional IE offices with safeguards responsibility for SSNM licensees receives a number of these reports.
They are used primarily to check for items of nor.-compliance, such as possession of material in excess of license limits and excessive shipper-receiver differences, and to plan routine inspections.
In addition, reports, some of which are duplications of reports sent to regional offices, are routinely submitted to IE Headquarters and to the Division of Safeguards, NMSS.
These reports are received primarily to maintain an up-to-date library of information for use on a demand basis and currently are not subjected to the type of routine systematic analysis which is envisioned 1
in the material accounting goals listed above.
With respect to the first goal (MA 12), which relates. to shipper receiver differences, the current NMMSS system appears to collect most of the information needed to enable NRC to achieve the goals.
However, some detailed staff analysis is necessary to determine the exact additional informational requirements to meet the goals.
For example, the present reporting requirements exempt shipments of 350 grams or less from the requirement to report limits of error.
Therefore, present NMMSS data is not sufficient to permit NRC to statistically evaluate all shipper-receiver discrepancies as low as 50 grams.
VI-66 With respect to the second goal (MA 17), several significant deficiencies exist in the adequacy of the data.
First, NMMSS inventory data, which is reported semiannually, does not include limits of error (LEID), and this prevents utilization of sensitive loss detection tests.
Second, the data submitted only summarizes the results of these six month periods.
This significantly decreases the analytical power of certain time series tech-niques for analyzing inventory results.
Third, data for a given licensee is submitted under one or more identification symbols; in the latter case, one symbol is generally used for privately owned material and another for government owned material. The allocation of these symbols to licensees often is not consistent with the partitioning of a facility into separate plants, each of which must meet certain material accounting requirements provided for in the regulations.
Presently it is quite difficult in a number of cases to correlate data in NMMSS with the plant structuring, against which inspectors audit.
This allocation of symbols also means that in some cases high enriched uranium and low enriched uranium opera-tions are reported under the same symbol.
There is another problem which is not inherent in the basic structure of the NMMSS system, but which significantly influences its utility.
NRC staff experience has been that ID data contained in NMMSS does not correlate well with ID information obtained by IE regional offices from licensees.
Generally, the staff places greater faith in IE data than NMMSS data,
VI-67 because IE data has been routinely checked by NRC inspectors against source data and other records.
The NMMSS data, on the other hand, receives no similar routine checks or analysis by either NRC or NMMSS staff.
Moreover, there is no requirement for licensees to report bimonthly ID's and their associated material balance uncertainty components to NMMSS; nor is there any requirement for licensees to distinguish between HEU and LEU in the ID data they do report.
A contractual study has been initiated to identify the discrepancies between NMMSS and IE data and to determine their sources so that the NMMSS data for ids can be corrected.
Pending completion of this study and establishment of cross-check procedures for the NMMSS system, NMMSS will continue to be of marginal value in supplying ID data to support NRC in meeting the proposed assurance goals.
There is one final problem associated with NMMSS; it is one of timeliness and flexibility in meeting requests for information.
The present procedure is for an NRC staff member to call Oak Ridge and to request a report containing the desired information.
The NMMSS staff responds to such requests as rapidly as possible, but the data delivery is subject to the following constraints:
(1) NMMSS does not have first priority on the Oak Ridge computer system (NMMSS uses the K-25 computer facility); (2) there is sometimes a break-down in the transmission of the data to NRC since NRC does not interact directly with the computer system; (3) NRC has provided
VI-68 insufficient guidance to NMMSS staff to permit them to design reports which succinctly present important safeguards data or to edit existing data for correctness; and (4) NMMSS's program language (COBOL) is not flexible enough to modify existing software on an ad hoc basis.
Conse-quently, it usually takes several days for the NRC staff member to obtain the requested data, and the data, when it arrives, often is inconsistent or incorrect and is formatted in a manner that may require extensive collation and analysis on the part of NRC staff.
Safeguards Status Report System Currently, licensees routinely submit the results of bimonthly physical inventories to IE regional offices within 30 days after beginning of the inventory.
Data is edited and transcribed by the regional offices into a standard format and forwarded to IE Headquarters.
Those data are further edited at IE Headquarters and form the basic report to the Safeguards Status Report System (White Book), which is issued every three to six months.
Since the White Book contains classified information, distribu-tion is tightly controlled on a need-to-know basis.
However, it does provide a basis for NRC's new semiannual report (Grey Book) to the public l
on safeguards, which includes ID data.
The White Book contains detailed inventory data which are more oriented toward the current regulations than NMMSS data.
For example, the White l
VI-69 Book contains plant material throughput and LEID data.
Data are reported on individual plants rather than facilities, and currently cover 82 plants located at twenty-two facilities, including low enriched uranium facilities.
For each plant, the book reports throughput data for each inventory period, a twelve-month running calculation of cumulative ID, ID for each inventory period, and LEID for each inventory period.
It also summarizes the same information except for LEID on a yearly basis from plant start-up to the E
beginning of the period for which the bimonthly data have been collected.
In addition to inventory data, the White Book also includes information on shipments of SSNM in quantities sufficient to require physical protection during transit, i.e., five formula kilograms.
The information reported includes identification of shipper and receiver, dat.e, mode of transport, and type of material.
With respect to the goal related to shipper-receiver differences (MA 12),
=
NMMSS generally provides more complete and timely data than the White g
Book.
The White Book is issued on a quarterly basis, generally about six
-_iB aN to eight weeks after the end of the quarter.
Hence some of "new" data appearing in the White Book may be as much as five months old.
With respect to the second goal (MA 17), the White Book provides the signifi-cant advantages discussed above.
The major shortcomings are the lack of m
VI-70 cumulative LEID information and problems with timeliness.
In fairness, however, it should be stated that there is currently no requirement.for licensees to compute LEID on a cumulative basis and that licensee data are available to cognizant NRC staff as soon as they are received in IE Head-quarters.
The White Book data base has recently been put on a secure computer system (in Oak Ridge).
This development has the potential to enhance NRC analytic activity and should mitigate the problem of obtaining White Book data for analysis in a timely manner.
Inspection and Investigation Reports Inspection reports summarize the results of routine and special IE inspections to determine whether licensees are operating in conformance l
with NRC regulations and license conditions.
Inspections at facilities processing significant quantities of SSNM are conducted on a quarterly basis, with inspection schedules adjusted depending on recent operating history.
It is not the primary goal of these reports to provide the type of information flow needed for the analysis envisioned by the two goals specified above.
However, they frequently contain detailed information on physical inventories, and as a result, will sometimes provide information on a more timely basis than the White Book.
Also, they can provide valuable back-up information for analysts.
Inspection Reports are normally sent from regional offices to IE Headquarters within a month of the inspection and copies are subsequently sent to NMSS.
l
VI-71 Investigation reports are also issued following IE inspections of abnormal situations or occurrences.
They normally would not contribute directly to the systematic analysis related to the goals, but could provide useful background information.
Comprehensive Evaluation Reports Comprehensive evaluations, which are described in Chapter Five and detailed in Appendix E, have the inherent capability of providing much of the information needed to address the goals specified above.
However, at the current schedule of evaluating sites, these evaluations laay be the least timely of current information sources.
Also. the data needed for evaluation is not always available.
For example, a specific problem noted during recent evaluations was that licensee data was not always maintained in a format which lent itself to calculation of cumulative LEIDs.
Analyses designed to meet the goals of material control and material accounting would provide a valuable input to comprehensive evaluations.
These two capabilities, comprehensive evaluation and data analysis, should really be part of a single effort and should be closely coordinated, or totally integrated.
Licensee Reports of Abnormal Occurrences Existing regulations and NRC directives currently require licensees to report abnormal occurrences or situations such as loss or theft of SSNM,
VI-72 attempted thefts of SSNM, and excessive ids.
These reports would not normally contribute to the systematic analyses related to the goals specified above, but should be provided,to data analysts as background information.
In certain cases, data analysts could provide valuable input in responding to such reports.
I Recommendations To enable the Office of Nuclear Material Safety and Safeguards to fully and effectively carry out its congressional mandate to monitor internal accounting systems for special nuclear material, and to meet material accounting goals MA 12 sod MA 17, the Task Force recommends the following:
RVI-7(a) The shipment threshold for reporting limit of error into the NMMSS system be lowered from 350 grams to 50 grams.
(b) The NMMSS reporting entities for SSNM licensees should be made consistent with the partitioning of facilities into plants.
(c) For those facilities which must be partitioned into accounting units to meet the goals in Chapter Four, each accounting unit should be required to report inventory difference, and pertinent limit of error data to NMMSS on an accounting unit basis.
(d) The NHMSS reporting entities for SSNM licensees should clearly separate the high enriched uranium (HEU) from the low enriched uranium (LEU) operations.
(e) NRC should significantly upgrade its editing of reported licensee safeguards data for corrections and consistency, and obtain flexible computer software that presents safe-guards information in a succinct and comprehensive manner.
(f) NRC should establish within NMSS a program for routine analysis of material accounting information.
t.
VI-73 (g) NRC should take immediate action to obtain a secure inter-active computer capability to use in collecting, storing, sorting, and analyzing special nuclear material status data.
(h) NRC should expeditiously determine the additional licensee data needed to meet goals mal 2 and MA17 and should initiate rule making necessary to obtain such data.
(i) NRC should determine if any unnecessary licensee safeguards data is presently being reported, and if so draft rule s
amendments deleting such data from reports.
Three important points should be mentioned in connection with the Task Force's recommendations that NRC significantly upgrade the timeliness and flexibility of its safeguards information system through an interactive secure computer capability.
First, the establishment of of a new secure NRC computer system or interactive system does not, of itself, impose duplicate reporting requirements on licensees.
However, the NRC staff should carefully consider the impact of a new system on licensee reporting and try to include any new requirements, to the extent possible, in concert with IAEA reporting requirements to minimize any duplication of reporting, and any revision to licensee record systems.
Second, the establishment by NRC of its own secure computer system or use of other secure interactive system would enhance NRC's capability to respond to ad hoc requests (Co.'gressional, Commission, Safeguards Management, the public).
The major contribution of such a system would be toward meeting the assurance goals (MA 12 and MA 17) stated at the outset of this section.
Indeed, an NRC program of monitoring and analysis cannot be effective if it is handicapped
VI-74 by constraints of the kind mentioned above.
Third, the establishment of an NRC computer system or an interactive capability would have spin-off benefits related to the implicit goal of NRC evaluation of licensee capabilities vis a vis many of the other goals in this report for material control and material accounting.
At present NRC is unable to use any data analysis techniques or evaluative methods which require the processing or generation of classified data by a computer to evaluate licensee capabilities.
The Task Force envisions that the development of an Integrated Safeguards Information System (ISIS), for which some contracts have already been issued, will substantially improve the flow and analysis of safeguards information and modify the specific actions suggested.
However, ISIS is, at best, several years from being operational and action is required to meet current needs.
VI-75 References - Chapter Six VI-1 Comptroller General of the United States, An Unclassified Digest of a Classified Report Entitled, " Commercial Nuclear Fuel Facili-ties Need Better Security," May 1977.
VI-2 McSweeney, T.
I.,
et al., Batelle Pacific Northwest Laboratories,
" Summary of Findings Evaluating Material Accounting Losses at Four Licensee Facilities," November 14, 1977.
VI-3 US Atomic Energy Commission Manual, Chapter 7401, November 1956.
VI-4 United States Atomic Energy Commission, Nuclear Materials Management Handbook, AEC Manual Appendix 7401, July 1960.
VI-5 United States Atomic Energy Commission, Proposed Guide for Preparation of Fundamental Material Controls and Nuclear Materials Safeguards Procedures, Revision A, April 1968.
VI-6 Code of Federal Regulations, Title 10, Energy, Revised as of January 1, 1977.
VI-7 Jaech, J. L. Statistical Methods in Nuclear Material Control, U.S. Atomic Energy Commission, Publication TID-26298, December 1973.
VI-8 Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Report of Strategic Special Nuclear Material Inventory Differences, NUREG-0350, Vol.
1, No. 1, August 1977.
VI-9 Siri, W. E., et al., A Study of Nuclear Material Accounting, NUREG-0290, Vol.1 of 3, (Prepared for the U.S. NRC by Lawrence Berkeley Laboratory), April 1977.
VI-10 Stewart, K. B., Minimum Variance Unbaised Estimators of Loss and Inventory Amounts, Battelle PNL, September 1977.
VI-11 SECY-R-74-197, " Staff Review of the Special Safeguards Study,"
May 9, 1974.
VI-12 RETIMAC, A Program to Develop and Implement Real-Time Materials Control, January 1974, enclosure to SECY-R-74-197.
VI-76 VI-13 NUREG-75/060, "Special Safeguards Study - Scopes of Work," U. S.
Nuclear Regulatory Commission, June 1975.
VI-14 WASil-1327, "A Draft Environmental Impact Statement on the Use of Recycle Plutonium in Mixed-0xide Fuels in Light Water Reactors,"
August 1974.
VI-15 Keepin, G. R., " Development and Implementation of Dynamic Materials Control," LA-UR-75-1004, Los Alamos Scientific Laboratory, 1975.
VI-16 "RETIMAC - A Real-Time Material Control Concept for Strategic Special Nuclear Material," Working Paper B, U.S. Nuclear Regulatory Commission, January 1975.
VI-17 Smith, G. D., "USNRC Special Safeguards Study on Nuclear Material Control and Accounting," Paper presented at INMM meeting in Seattle, June 1976 (proceedings published).
I VI-18 Bain, Jr., E. E. et al., "An Evaluation of Real-Time Material Control and Accountability in a Model M02 Fuel Plant,"
SAI-75-648-LJ, Report prepared for the USNRC Special Safeguards Study, Science Applications, Inc., September 1975.
VI-19 Pomernacki, C.
L., et al., " Executive Summary of the [USNRC]
Special Safeguards Study on Material Control and Accounting Systems," Lawrence Livermore Laboratory, September 1975.
VI-20 Pomernacki, C. L., et al., " Technical Appendix for the [USNRC]
Special Safeguards Study on Material Control and Accounting Systems," Lawrence Livermore Laboratory, September 1975.
VI-21
" Dynamic Materials Control - A Balanced Approach to Nuclear Safeguards," unnumbered and undated report, Los Alamos Scientific Laboratory.
VI-22 Gambill, E.
F., "New Emphasis on Material Accountability's Role in Special Nuclear Materials Security," Paper presented at INMM meeting in New Orleans, Louisiana, June 1975 (proceedings published).
VI-23 Shipley, J.
P., et al., " Coordinated Safeguards for Materials Management in a Mixed-Oxide Fuel Facility," LA-6536, Los Alamos Scientific Laboratory, February 1977.
VI-24 Fagan, J. F., et al., An Independent Assessment of the Conceptual Design of an Engineered Safeguards System for a Mixed-Oxide Fabrication Facility, Draft Final Report No. 307, May 1977.
L
VI-77 VI-25 Seabaugh, P. W.,
et al., " Application of Controllable Unit Methodology to a Realistic Model of a High-Throughput, Mixed-Oxide Fabrication Process," Draft Report, MLM-MU-68-0001, Mound Laboratory, August 17, 1977.
VI-26 Barnart, C.
L., Ed., The American College Dictionary, p. 237 and
- p. 259.
VI-27 U.S. NRC proposed rule, Federal Register, Vol. 42, No. 128, pp.
34310-34326, July 5, 1977.
VI-28 Ede'lhertz, H., and Walsh, M., The White Collar Challence to Nuclear Safeguards, a study prepared for the U.S. Nuclear Regulatory Commission, January 1977.
}
VI-29 Nuclear Surety, U.S. Army Regulation No. 50-5, September 1976.
VI-30 Matese M., K. Goodman, and J. Schleter, Diversion Path Analysis Handbook, a study prepared by National Bureau of Standards for U.S. ERDA, October 1976.
VI-31 Preliminary Results and Briefings on the Lawrence Livermore
{
Laboratories Material Control Evaluative Methodology project, September 1977.
VI-32 Preliminary Results and Briefings on the Science Applications, Inc. Security Force Collusion project, October 1977.
GLOSSARY Accessible to theft -
See not accessible to theft.
Accountability -
The capability of facility's material control and material accounting programs to control and account for the nuclear material in its possession.
Accounting Unit -
An identifiable physical area, established to meet the goals of Chapter Four, such that:
(1) the quantity of nuclear material being moved into or cut of the area is represented by a measured value determined through an NRC approved measurement and measurement control program, (2) sufficient access controls exist to preclude theft by the same adversary from two or more such areas, and (3) sufficient record system security and redundancy is maintained to preclude falsification of records of more than one such area by any individual having access to special nuclear material.
Alarm Assessment -
The gathering of sufficient information to determine, and the final determination of, the significance of evidence that a malevolent act may have occurred. Assessment techniques should provide such information as the nature of the threat which caused an alarm and the reliability of the alarm.
Assurance -
The safeguards function incorporating measures to satisfy the NRC and the public that safe-guards are in place and can provide protection against attempted acts of theft, diversion, or sabotage that would significantly increase the risk to the public health, injury, or property damage.
Audit -
An official examination and verification, according to accepted procedures, of practices, accounts and records.
G-2 Book Inventory -
A determination of the quantity of special nuclear material on hand at a given time based on records which are themselves based on measurements. The book inventory is calculated by subtracting the amount of material removed from inventory since the previous physical inventory from the sum of the amount of material on inventory during the previous physical inventory and the additions to inventory since the previous physical inventory.
CFE or Clandestine A nuclear explosive device which has been Fission Explosive -
illicitly fabricated. A nuclear explosive device is any explosive device, using special nuclear material, for which the total explosive energy released is significantly greater than the explosive energy released by the conven-tional high explosive components.
CID or Cumulative The quantity determined by summing a series Inventory Difference -
of consecutive inventory differences (see also ID). In most places where CID is referred to in this report, the Task Force means the sum of six consecutive inventory differences calculated from the bimonthly material balances over the past year.
Controllable Unit -
If a facility as a whole cannot meet the material control goals, then the Task Force envisions that it be partitioned into a set of controllable units, each of which is a material control area defined, designed, and bounded in such a way that the material control goals can be met.
CUSUM or A family of trend analysis techniques based Cumulative Sum -
upon consideration of sums of consecutive inventory differences and the limits of error associated with these sums. CUSUM methods range from relatively simple techniques such as tests of CID against LECID to sophisticated control charts.
G-3 Detection with A detection (alarm) probability of 90% or High Assurance -
more.
In some uses, such probability can be determined rigorously by using recognized statistical techniques (e.g., a statistical sampling plan for items or through pro of measurement errors (uncertainties) pagation detemined by a measurement control program meeting the criteria of Section 70.57 of 10 CFR. When the probability of detection cannot be rigorously determined statistically, "high assurance" for detection may be achieved through other means, such as (for process monitoring) comparison of expected yield with experienced yield, and use
]
of bulk, weight, and volume measurements and NDA.
In such cases, NRC should stipulate (possibly on a case by case basis) what level of performance is in order to achieve "high assurance".
Deterrence -
The safeguards function that incorporates measures intended to discourage a potential
{
adversary from attempting a malevolent act.
Diversion -
The illegal misuse of goods, as in the diversion of funds.
In the safeguards context, diversion is distinguished from theft in that theft of material involves the removal of the material from its authorized location, while diversion involves illicit use of the material in its authorized location.
Effective Kilogram -
The number of effective kilograms of special nuclear material is computed as:
(1) For plutonium and uranium-233 their weight in kilograms; (2) For uranium with an enrichment in the isotope U-235 of 0.01 (1%) and above, its element weight in kilograms multiplied by the square of its enrichment expressed as a decimal weight fraction; and (2) For uranium with an enrichment in the isotope U-235 below 0.01 (1%), its element weight in kilograms multiplied by 0.0001.
G-4 Five Fomula A quantity of 5,000 grams of the isotope Kilograms -
uranium-235 (contained in uranium enriched to 20% or more in the uranium-235 isotope),
uranium-233, or plutonium alone or in any combination, computed by the formula, grams = (grams contained uranium-235) + 2.5 (grams uranium-233 + grams plutonium).
Goal -
A specific statement of that toward which efforts are directed.
In the structure developed in this report, the achievement of an objective is accomphshed through the achievement of one or more specific goals g
which have been derived from that objective.
I Hoax -
A threat made by a group or individual, lacking the capability to perform the actions threatened, with the intent of extorting concessions from the government or private individuals.
ICA or Item An identifiable physical area such that the Control Area -
quantity of nuclear material being moved into or out of the area is controlled and accounted for by item identity and count for previously detemined special nuclear material quantities, the validity of which is assured by tamper-safing unless the items are sealed sources.
2 ID or Inventory The quantity detennined by suotracting Difference -
inventory (EI) plus removals (R) from beginn-ing inventory (BI) plus additions to inventory (A). Mathematically, ID BI + A EI R.
=
For historical reasons, inventory difference is also called MUF or material unaccounted for.
Independent A check by one organizational unit on another Verification -
organizational unit perform;ng an operation to ensure that the operation was performed in accordance with the applicable material control and material accounting procedures.
G-5 For example, independent verification of intraplant transfers could be accomplished if both the shipping and receiving custodians witnessed the transfer measurement and copies of the measurement results were sent directly to both parties to the transaction.
Integrity -
Sound, unimpaired, or perfect condition.
For example, checking the integrity of a tamper-safed container would consist of ensuring that the seal had not been broken and that the container had not been otherwise breached.
]
ISIS -
An acronym for the " Integrated Safeguards
)
Information System" currently under develop-ment within the Nuclear Regulatory Coninission.
LECID or Limit of The limit of error, based upon estimates Error on Cumulative of measurement errors and statistical Inventory Difference -
analysis, on cumulative inventory difference.
LEID or Limit of The limit of error, based upon estimates Error on Inventory of measurement errors and statistical IRf ferences -
analysis on inventory differences. For historical reasons, this is also known as LEMUF or Limit of error on MUF.
Limit of Error -
The uncertainty component used in constructing a 95% confidence interval associated with a quantity af ter any recognized bias has been eliminated or its effect accounted for. For example, the limit of error for an unbiased normally distributed random variable is 1.96 times its standard deviation.
Material -
As used in this report, material means, unless otherwise specified, plutonium, uranium-233, or uranium enriched to 20% or more in the isotope uranium-235.
G-6 Material Accounting The part of the safeguards system encompassing System -
the procedures and systems to:
(1) perform nuclear material measurements,(2) maintain records, (3) provide reports, and (4) perform data analysis to account for nuclear material.
Material Balance -
A determination of ID and LEID and subsequent reconcilication of records through:
(1) the taking of a physical inventory, (2) detennina-tion of ID by comparing the book inventory and the physical inventory, (3) detennination of LEID from the measurement control program using appropriate statistical techniques, (4) reconciliaton of the book inventory with the physical inventory, and (5) reconciliation of subsidiary accounts with the central records.
Material Control The part of the safeguards system encompassing System -
management and process controls to:
(1) assign and exercise responsibility for nuclear material, (2) maintain vigilance over the material, (3) govern its internal movement, l
location, and utilization, and (4) monitor the inventory and process status of all nuclear material.
MBA or Material An identifiable physical area such that the Balance Area -
quantity of nuclear material being moved into or out of the area is represented by a measured value determined through an NRC approved measurement and measurement control program.
Measurement Bias -
A constant unidirectional component of measure-I ment error that affects all members of a data set.
Its value is estimated by the deviation of the mean of a measurement process from a reference value.
Measurement Error -
A deviation from the correct value.
It does not mean a mistake made in making a measurement.
G-7 Measurement The extent to which a measurement result Uncertainty -
is in doubt because of the effects of random and systematic error variances.
NMIS -
An acronym for the " Nuclear Materials Informa-tion System." This system is now referred to as NMMSS.
NMMSS -
An acronym for Nuclear Materials Management and Safeguard System which is a computerized information system operated jointly by the Nuclear Regulatory Comission and the Department of Energy.
]
NMSS -
An acronym for the " Office of Nuclear Material l
Safety and Safeguards" which was established within the Nuclear Regulatory Comission by the Energy Reorganization Act of 1974.
Not Accessible Special nuclear material is considered to Thef t -
to be not accessible to theft if it is a) not readily separable from other radioactive material and the combined materials have a total external radiation dose rate in excess of 100 rems per hour at a distance of 3 feet from any accessible surface without intervening shielding, b) locked in a vault-type room which is tamper-safed and under continuous electronic intrusion detection surveillance, or c) of a size and form which prohibits diversion or theft without rapid dection, such as a fuel assembly.
Objective -
A general statement of an end toward which efforts are directed.
Organizational Unit -
A group of one or more employees within a company who have the responsibility for a single phase of the corporate operations.
1 1
l G-8 Physical Inventory -
The detennination on a measured basis of the quantity of special nuclear material on hand at a given time. The methods of physical inventory and associated measurements will vary depending on the material to be inventoried and the process involved.
Physical Protection The part of the safeguards system encompassing System -
the equipment, procedures, and physical controls to:
(1) protect nuclear materials from theft or diversion through the use of access and egress controls and physical barriers, (2) detect attempts at theft or diversion through the use of surveillance measures and alarm systems, and (3) respond to attempts at theft or diversion through the use of on-site security personnel and off-site law enforcement forces.
Prevention -
The safeguards function incorporating measures, including an armed response to an attack, to stop an adversary from successfully completing a malevolent act (note that an armed guard response is a safeguards element supporting the prevention function wher'eas response is a safeguards function in its own right).
Random Error -
The random variation encountered in all measurement work, characterized by the random occurrence of both positive and negative deviations from a mean value.
Rapid -
Providing or analyzing information in a timely manner. For example, a rapid material control system provides material status information at the end of each shift.
Real-Time -
Providing or analyzing information with no perceptible delay. For example, a real-time material control system is a system, consisting of an on-line computer interfaced directly with material assay stations throughout a plant, to provide current material status information.
G-9 Reconcile -
In the context of this report, this term means to bring two conflicting analysis or measurement results into agreement by use of NRC approved procedures.
Response -
The safeguards function incorporating measures to stop an adversary from utilizing stolen or diverted material or to mitigate the consequences of its use.
Safeguards -
A broad term that generally refers to the overall program used by a facility or transpor-g ter to physically protect, and to control and
=
account for the nuclear material in its j
possession. It includes the physical protection system, the material control system, the material accounting system, and safeguards management.
Safeguards Elements -
The equipment and procedures which comprise each safeguards system. For example, process monitoring is a safeguards element of the material control sytem.
Safeguards Functions -
The means by which the safeguards program accomplishes its objective.
In this report, deterrence, prevention, response, and assurance were identified as the four safeguards functions.
Safeguards Management - The part of the safeguards program encompassing those NRC activities necessary to assure the effectiveness and efficiency of the safeguards program.
It entails such supportive functions as proposing safeguards legislation, promulgating regulations, providing regulatory guides, disseminating information concerning penalties for theft and rewards for infomation about potential or actual thefts, assisting in the analysis of intelligence infomation, conducting a safeguards research program, and assessing the effectiveness of safeguards across the licensed nuclear industry.
G-10 Safeguards Measures -
The processes by which the safeguards functions are accQmplished. For example, the demonstration of effective systems is a safeguards measure which contributes to the deterrence function.
Significant Amount -
Five formula kilograms or more of strategic special nuclear material. (See strategic special nuclear material and five formula kilograms).
Significant Loss -
The loss of a significant amount of strategic special nuclear material.
SNM or Plutonium, the isotope uranium-233, or the Special Nuclear element uranium enriched in the isotope Material -
uranium-233 or in the isotope uranium-235.
SSNM or Strategic The isotope uranium-235 (contained in uranium Special Nuclear enriched to 20% or more in the uranium-235 Material -
isotope), the isotope uranium-233, or plutonium.
Systematic Error -
Measurement Bias.
Tamper-Safing -
The use of devices on containers or vaults in a manner and at a time that ensures a clear indication of any violation of the integrity of previously made measurements of special nuclear matieral within the container or vaul t.
Thef t -
An act of stealing, the illegal taking and carrying away of the goods of another; larceny.
UNITED STATES NUCLEAR REGULATORY COMMISSION f
7 WASHINGTC A', D. C. 20$55 POST AGE AN D FEES P Alp OFFICIAL BUSINESS U.S. NUCLE AR REGULATORY PEN ALTY FOR PRIV ATE USE, $300 C O u u s S$10N LJ l
l l
[
I b
--